Complying with data protection regulation is often considered a tedious task as they are generalized regulations that are applicable across domains. They guide acceptable behavior, rather than defining rules that impose specific conditions for a particular domain. Domain-specific context-oriented data categories that are to be protected in the domain of implementation need to be discovered for implementing data protection. We propose a human-centric approach to elicit such data categories causing privacy concerns to stakeholders in an educational institution. We conducted a study to understand the privacy concerns of the stakeholders related to different data categories to be protected. Using a combination of surveys and in-depth interviews of the different stakeholders, we were able to gain insights into the privacy and data protection requirements that need to be incorporated into the associated information system design.