What practices do groups adopt to ensure their systems are consistent with requirements for private and/or personally identifiable data?
Stanford has very clear risk classifications for data:
https://uit.stanford.edu/guide/riskclassifications
And then “MinSec” (Minimum Security) standards required for each level.
https://uit.stanford.edu/guide/securitystandards
So - for the most part it’s determining the risk classification, and then following the standard. If there is some new data type it might go to a board / IRB for discussion of what constitutes anonymized. But it’s hard, because at the end of the day it’s still a group of people with various checklist, with some help from automated checking tools, if applicable. There is a nice little portal with all the guides if you are interested: