Monitoring is the wrong approach. Flat denial of privilege is the correct one. Why go to the pain and expense of tracking access, storing the data, having to analyze the data, when least privilege means you don't have to buy disk drives (or SANs) just to store logs on the off chance somebody is being a dick? If somebody doesn't have the right to view the data why did you give them access? If they have access (and why would co-workers have access to personal information anyway?) then it's not unusual access and thus not worthy of logging or alerting anyone anyway. This is yet another example of gathering data that shouldn't be gathered. Far better to lock the door ahead of time than stumble across the problem accidentally then comb terabytes of log data to see who else was a creep.
I hope that no serious data controller would ever permit monitoring access to private data to be dropped. When some data has clearly gotten out to someone who shouldn't have it, it didn't get out by magic - someone read it and delivered it to where it should never have gone. That clearly wasn't someone who was flatly denied the privilege of access to the data, and the only way of finding out how it escaped is to have monitored all access and for the particular data that has escaped to require that the accessor explain why he accessed that specific data (and if only one person has accessed the leaked data, even if he had a good reason to access it he is clearly the guilty party). That definitely requires monitoring. End of story - without monitoring, you (as a data controller) CAN NOT POSSIBLY do the things that you are required to do under the current personal data protection regulations. Nor can you reasonably claim to be attempting to do so. Big nasty fine - not just for the leak, but a bigger one for the decision not even to bother to try to ensure that your staff either conform to the regulations or get caught.
Perhaps you hadn't realised that someone who has access to the data is supposed to go to it only when neccessary, not arbitrarily access it every day? If so, please don't try to help anyone conform to current EU (and most of the rest of the world) regulations until you've understood it properly - until then you can only leave them paddleless up the creek.