What IS Sensitive Data Anyway?

Sensitive data should be protected from corruption, tampering and disclosure.
See this Confidentiality, Integrtiy and Availability guidline from Mozilla for more.

1. Personally Identifiable Information (PII)

⚠️ GDPR requires to “protect PII” and failing to do so might have legal and financial consequences. See more here and here.

Sensitive personally identifiable information (PII) is data that can be traced back
to an individual and that, if disclosed, could result in harm to that person.
Such information includes biometric data, medical information, personally
identifiable financial information (PIFI) and unique identifiers such as
passport or Social Security numbers.

Threats include not only crimes such as identity theft but also disclosure of personal information that the individual would prefer remained private. Sensitive PII should be encrypted both in transit and at rest.

See more thorough definition here.

2. Application Protection Mechanisms

Including but not limited to passwords, encryption keys, key phrases and everything that the security mechanisms of the app are based on.

That includes data that is used to trace malicious behaviour and exploits.

3. Other sensitive data

Any data, losing, changing or exposing which will cause either financial or technical or reputational loss to either the company or the end user.