How are companies identifying PHI/PII data they have within their Information System? How can we enable Data Owners to be aware of the Data they own is PHI/PII?

We are exploring best practices and tools or applications for securing and protecting PII data storage and archiving needs across the enterprise. We use MS Teams daily for meetings and collaboration and need to develop best practices in this regard. What are other organizations using as a solution?

In certain respects, the predominance of PHI/PII in my space: healthcare, simplifies our approach, as we treat nearly all the information we handle with a high level of confidentiality and security. However, there are indeed nuanced data elements, such as zip codes, that may oscillate between being classified as either PHI or not dependent on population size and what is being analyzed.

Consequently, we enforce stringent security protocols, restricting access on an individual basis to ensure the utmost protection of sensitive information. Additionally, we maintain and routinely review comprehensive data dictionaries, alongside enforcing stringent access restrictions and meticulously auditing access logs, to uphold the integrity and confidentiality of the data we manage.

We created data catalogs where we identify all PII pieces of data on our systems.

For identification , we check our database and any storage schemas to identify the PII data and we have rbac implemented where only super Admin can view all PII data. 

We don't restrict other users too. We capture user paper trail if someone tries to access PII data