there is identifying PII data and handling/storing PII data.
Identifying can be done with Purview, Macie, other tools. Those are not free ofc, so if your env is pretty big it can be interesting. Otherwise, you could also do manual checks.
For storing: PII data should not be mixed with other data. Put it in a separated zone, encrypted etc with strict permissions AND also a solution for data retention.
Delta Lake makes this a lot easier tbh (delete statement).