The quick answer:
Protect the PII by both ensuring integrity (sign, hmac, etc) and confidentiality (encrypt). I don't know your architecture in detail, so I'll assume asymmetric isn't buying you anything here (more on that below). Use something like AES 128/256 GCM, or add an HMAC along with something like AES-CBC etc. Make sure to generate a random IV, all the usuals.
Only protect what needs to be protected (why incur the performance hit to protect data that doesn't matter).
The more:
I'm assuming you think the data in transit is safe (message level protection, and/or tls/ssl, etc to get it there) and you truly are focusing on data at rest.
Key Management:
Whether it be a symmetric key or the private key for asymmetric, you need to properly manage it. That super secret key material shouldn't be exposed anywhere but where it truly is needed. Really spend some time following the data and the key material and see if it makes sense. Consider threat modeling.