First of all, you need to evaluate which employees have a direct to potential access to the server database. If some of them should not have access to the sensitive data listed above than Data Protection must be enabled. Please also note, that the data can be physically read from the HDD/SDD on which it is stored. It is necessary to consider the possibility of both software and physical access to the data. In some cases, for example, if the web application and the database server are running on the same physical server that can be accessed by a limited number of trusted people, then Data Protection can be omitted.