As expected, the answer depends on various characteristics and goals of the firm asking the question.  A few considerations: 

• Do you know of data that you must protect now?  If you need to protect something specific – such as product design documents, proprietary models, or your customers’ personal information, you may decide to start using DLP to control the use or transmission of that particular data.
• Then, which type of use must you control?  There is email, Web, IM, FTP, moving data to removable media, printing data, and many other methods available to your end users that can result in data misuse and leakage.  To understand what to protect, you need to evaluate these against existing procedures.  If you’ve locked down USB ports, then perhaps you should first protect network-based transmissions or emails at the message server.  If the use of removable media is permissible, consider protecting against saving your high-risk data to them.
• Do you have high-risk users?  These can be executives with insider information, engineers with next-generation product designs, and even outsourced employees.  If so, consider using your DLP solution to focus on controlling their activity first, or at least differently than for other users. 
• Do you need to discover your data risks?  If so, that’s ok – and you’re not alone.  Here, DLP should be used to identify and discover sensitive data across the enterprise.  You must determine what systems to scan – content repositories (such as Microsoft SharePoint), network folders, and/or end-user desktops.  This can depend on how your end-users collaborate. 
• How will you support your DLP system?  If you will control use and transmission straight away, be prepared to handle the activity the system will detect.  This calls for the highest levels of detection accuracy so that your security and compliance resources will be used efficiently. 

Keep in mind – a DLP solution must be able to accommodate expansion beyond your initial deployment.