Organizations starting an encryption project always have this question on their minds. It is a simple question, but can be hard to answer. Generally speaking, you should encrypt any information that alone, or when combined with other information, can identify a unique, individual person. This is called Personally Identifying Information, or PII. This should be your starting point, but you may need to address other information depending on the compliance regulations you must meet.
Read the white paper, What Data Needs to be Encrypted in MongoDB? to find out more about:
• Compliance regulations that require encryption (PCI DSS, GDPR, HIPAA, etc.)
• What types of data are considered private information
• What information needs to be encrypted