The short answer:
In reality, it comes down to how many layers of security a company needs, and the perception of due diligence. That depends on the business model, and the perceived trust relationship with any players that can touch that model. Some strictly-business-related data may be far more sensitive to that business than personally identifiable data.
Per Webster.com, diligence is "the attention and care legally expected or required of a person (as a party to a contract)".
Security is a heart-warmer for those who desire to feel safe. However, using pseudonyms and such only serve to provide yet more dense information about a person. One cannot hide. That's life.
The world, to the last, runs on trust. When trust is abused long enough it is lost, and the whole world suffers. Measures of security only truly succeed within trust relationships that can be positively identified, which is only possible in a face-to-face world. So how do we accomplish that when much of the digitial world is largely transacted impersonally and replicatably in binary sequences?
Every form of digital security currently in place on this earth is still based in priviledge information that is negotiated on extremely loose trust principles, praying on the appearance of security, and the laziness of those who might otherwise be tempted to take and improperly use that which does not belong to them.
True security implementations instead are more like signposts that guide most to proper behavior, much like a guard rail on a ship. It does not stop those who desire to leap over. One who blatently desires to break that trust will, given enough time and effort, succeed... for a time. But then at that point the balance shifts, and the very act blazes markers of identification that trail and haunt the individual indefinitely, growing larger in detail with every misdeed.
The definition of security has turned in perverse ways from being an act to help those who choose to do good and avoid blunder, to that of the nearly impossible feat of keeping those who choose to do ill from so doing. The original intent of security is also the origin of laws and ordinances, to guide one safely on agreed and common ground, leaving all to act as free as possible, as long as those acts do not take away those rights from others without cause.
The blame too has been shifting, from those that do ill to those that fail to prevent or stop the ill-wanton.
So what does this mean to database professionals? Does this mean we ignore security? NO! Of course not. Of necessity we must continue to attempt to plug holes, guard access, obfuscate information both in transit and that which sits idle in the file, on supposed guarded servers, and guide right by preaching information security to the rest of the brigand of process and application from cradle to grave (if a grave even exists for all the data that is collected...).
But sadly, it is like an anchor on humanity that grows heavier with each passing year, keeping us from reaching new and greater horizons in the sea of possibility. Some may argue, "That's job security." For myself, I would rather not give up grand potential for a little immediate security. But the path chosen is a course that humanity plots as a whole. The stall-point is fairly easy to identify: when we spend more time patching holes and locking down hatches than we do in forward movement, or to put it another way, more time spent building and maintaining fences instead of roads, we've passed the stall point, and are taking on water.
To put it into DBA terms, if more DBA work is spent creating and maintaining security, whether by managing user/group access, encryption, storage, and even change controls and any other form of so-called security-related actions, than on refining, tuning, upgrading, advancing reportability, designing better architecture, and feeding the business that life-blood we call data and so on, then the company is either dead or dying, and usually only a buyout saves it at that point.
On an entirely different angle, I don't believe most organizations will ever curtail information gathering actions... having worked within more than one marketing firm, "More! More! More!" is both the battle cry and the sales pitch to clients: it's called targeted marketing. And the information available is overwhelming, beginning from even before the day of birth, to well after one is gone. We can talk about wishing personally identifiable information is kept out, but it will fall on ears that went deaf long ago... circa 1971.