The word "data" can be misleading. When we see that word we think of ones and zeroes, bank account numbers, debit card PINs, financial records and software code. Technically speaking, any information stored on any electronic device is data. Data could be how many minutes you like to put on the microwave timer to let you know when your tea is done brewing, it could be the receipt that Amazon sends you when you purchase a Christmas gift for your nephew.
We use the word "data" because we're talking about cyber security, but "information" might be the more accurate term. We're not just concerned that someone is going to steal the code for a program we're developing to compete with Adobe Photoshop, we simply don't want our secrets getting out. That secret could be a bank account password, or it could be the secret recipe to a restaurant's signature barbecue sauce. Sensitive data is more than just a bunch of ones and zeroes.
In other words, we need to think not so much of "sensitive data" as "private information." And this extends beyond data that is stored digitally. Paper-shredders were invented for a reason.
Beyond trade secrets, there are also instances where an information leak might not do any direct harm to your business or to a client or a partner, but it might affect your reputation. An attorney who boasts a little too loudly of all the high-profile clients he's assisted isn't proving himself capable so much as he is proving himself incapable of discretion. Even letting information that isn't-quite-sensitive can be bad news for earning the trust of new clients.
A good rule of thumb is that any information that isn't attached to a press release or already public knowledge should generally be kept to oneself. Of course it's fine if your new assistant manager boasts about his promotion to her friends, but if she starts getting too specific about her new responsibilities, she could be putting client trust at risk.
Sensitive data should include anything and everything that someone involved with your company might not want the public to know about. The Internet is full of armchair detectives with nothing better to do than pore over leaked information for anything they can use. They might not even be malicious, they might be major supporters of your brand who lack the self control not to spoil your next product launch. In short: If you're not already planning to make it public, don't make public.