How Should We Classify Data – A Quick Introduction to Data Classification

Nigel D'Souza's avatarWritten by

Posted on 5 Comments

Once you have your Roles and Responsibilities resolved and you are all speaking the same language, it’s time to determine the first “actual” deliverable: Classifying the data! If there is one thing, I have taken away from implementing Data Governance across multiple different industries, is the need to contextualise the best practices to the company you are in. Failure to do so, will feed the narrative that Data Governance is not important. Here’s the lessons learned that you could use to help your thinking and implementation.

4 is the right number

Regardless of the industry, having 4 levels to your data classification is the sweet spot. High, Medium, Low and Public is usually the way to think about it. Some classifications to get you started are below:

  • Public: Data that is openly accessible, such as research findings shared with the public.
  • Internal: Non-sensitive operational data used within the organisation.
  • Confidential: Business-sensitive data like contracts or intellectual property.
  • Restricted: Highly sensitive information, such as medical records or financial details.

Once you do have your classification, it’s prudent to have your metadata tags included. This should be part of your overall data governance effort. Identify, classify, tag and catalog!

Standards and Frameworks

As always, it’s important that you contextualise the classification to the country and subsequent industry standard. If none exists, then adopting a global standard can help. Here, I have added 2 standards that you can use to guide your thinking.

  • ISO/IEC 27001: Provides guidelines for managing information security.
  • Australian Privacy Principles (APPs): Mandates classification for protecting personal data.

Steps to Classify Data

At the highest level:

  1. Inventory: Identify all data assets across systems.
  2. Assign Categories: Label data based on sensitivity, value, and regulatory requirements.
  3. Document Policies: Define handling procedures for each classification level.
  4. Train Staff: Ensure all employees understand the classification system.

Step 1 is a massive undertaking. And in here’s it’s important that you prioritise the most important assets you hold. Don’t know which ones to select? That’s easy – what data moves your business forward? That’s the one to target first. There is a whole post on Data Quality – part ranty, part advice, all practical coming soon.

Tools and Automation

Software like Microsoft Purview and Varonis can automate classification processes, ensuring consistent application across large datasets. As most organisations already use the Microsoft ecosystem, starting with this is a good first step. However, there are various other tools out there that can aide in automatically classifying your data assets.

Data classification is a cornerstone of effective data governance, providing a structured approach to managing information based on its sensitivity, value, and compliance requirements. Proper classification ensures that data is handled appropriately throughout its lifecycle, from creation to disposal.

For more details on the blueprint behind implementing a good data governance program – click here!

If you’d like assistance or advice with your Data Governance implementation, please feel free to drop me an email here and I will endeavour to get back to you as soon as possible!

5 comments

  1. Pingback: The Definitive Guide To Implementing Data Governance – Nigel D'Souza
  2. Pingback: Access-Based Controls: Ensuring Secure and Auditable Data Usage – Nigel D'Souza
  3. Pingback: The Ultimate Guide to Balancing Data Security and Accessibility – Nigel D'Souza
  4. Pingback: The DASUD Framework – Nigel D'Souza
  5. Pingback: Scaling Data Governance: Adapting Your Framework as Your Business Grows – Nigel D'Souza

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.