From a data protection perspective, data can be categorised into different risk classes. The assignment to a risk class determines how worthy the data is of protection and which measures are necessary for processing (storage, access rights, etc.).
We have already looked at this topic in detail: the decisive factor is the type and amount of data to be processed. As a reminder: business e-mail addresses, which may be published on the company's website anyway, are less risky than personal data such as the address, telephone number or date of birth of a training participant, for example.
The following analyses and measures are usually handled by the relevant specialist departments and are the responsibility of the organisation's management throughout the organisation. You should have little to do with the topic in your project. However, a certain sensitivity to the topic does not hurt, as many of the measures must also be taken into account in everyday project work.
There are various approaches to determining the need to protect personal data. The measures are defined in various ISO standards, including ISO 27701 "Security Techniques", which is an extension of ISO 27001 and 27002 and specifies how data protection and information security measures are to be linked.
Germany is quite advanced in this area. With its Standard 200-2, the German Federal Office for Information Security provides a comprehensive methodology for the effective management of information security.
You can find an example of the categorisation here: https://www.sec4you.com/klassifizierung-iso-27001/