[galkk]

You can track them internally (pass through in process/request flow), but have 2 version of logs: pii and non-pii, and store pii in pii logs, with much stricter access restrictions. This alone considerably mitigates problem, as often you don't need details like userid to troubleshoot.

[gregoryl]

But how does that help with compliance? You can still very easily identify the data right?

[zizee]

Isn't deleting the PII associated with a user id sufficient?

[ibotty]

Often it is not because you'll likely be able to correlate.