I would advise seeking information in relation to the DPA for your country.
use of normalized databases in this instance is an essential MUST have. This helps obfuscate the stored data, the program you write should be able to reconstruct the dataset from the available tables.
Some of the data I deal with is or rather falls in to what is referred to as 'sensitive material' and this type of data can be anything from medial records, personnel data, phone calls (recorded), internal faxes, emails and other elements. So you should be aware that the DPA also encompasses elements within the real world like documents.
Some types of documents have to be stored (on average) for Seven Years, in the other department I work in, most of the documentation I handle has to be stored for 15 years for legal reasons.
So you SHOULD get acquainted with (at the very least) the basics of what your legal requirements are in relation to data, storage, reproduction and use within the real and virtual realms.
DPA is not just about storage of data in databases on computers / servers.
I forgot to add that the data backups we do on electronic documents and databases have to be stored in a safe...