Data Classification

Data classification is the process of categorising data by sensitivity, value and criticality. The purpose is to ensure that each piece of data receives the appropriate level of protection and that employees know how different data types should be handled.

Back to Dictionary

What is data classification?

Data classification involves assigning data a level based on how sensitive it is and what damage would result if it were compromised. Without classification, organisations often treat all data equally, which either leads to over-protection (costly and cumbersome) or under-protection (risky).

Classification underpins a range of other security measures. Access control relies on classification to determine who may see what. DLP solutions use classification to prevent sensitive data from leaving the organisation. And data masking is typically applied to data classified as confidential or strictly confidential.

Effective classification requires both technical tools and clear policies. Employees must understand what the different levels mean and how to label and handle data in their day-to-day work.

Classification levels

Most organisations use three to four levels. Here is a typical model:

Public: Data that can be shared externally without risk. Examples: press releases, public price lists, marketing materials.
Internal: Data intended only for employees. Examples: internal procedures, organisation charts, meeting minutes.
Confidential: Data where unauthorised access could harm the organisation. Examples: customer data, financial reports, contracts.
Strictly confidential: Data where compromise could have severe consequences. Examples: sensitive personal data, trade secrets, cryptographic keys.

Each level should have associated handling rules: who has access, how data is stored, whether encryption is required, and which rules apply to deletion.

Implementation in practice

A sound implementation of data classification follows these steps:

Define levels and rules: Establish classification levels that match the organisation’s risk profile. Describe handling rules for each level.
Map data: Identify where data resides, who owns it and how sensitive it is. This is closely linked to identity management and privileged access management.
Label data: Apply labels or tags, either manually or automatically. Automated tools can scan files, databases and emails to suggest classifications.
Enforce rules: Use DLP to prevent leakage of classified data. Configure access control based on classification level.
Train employees: Security awareness is essential. Employees must understand why classification matters and how to do it correctly.

Monitor continuously with SIEM systems to detect whether classified data is being handled incorrectly, and adjust policies based on experience.

Regulations and standards

GDPR requires organisations to implement appropriate technical and organisational measures based on risk. In practice, data classification is a prerequisite for assessing risk and choosing the right level of protection.

ISO 27001 treats classification explicitly in Annex A, controls A.5.12–A.5.13, which require a classification policy and associated labelling scheme. It is a central part of any ISMS.

NIS2 expects essential and important entities to have oversight of their critical data and systems. DORA imposes similar requirements on financial institutions’ data assets. CIS 18 addresses data protection in Control 3, which specifically deals with data protection and classification.

Frequently Asked Questions about Data Classification

What are the typical classification levels?

Most organisations use three to four levels: Public (no risk if shared), Internal (employees only), Confidential (restricted access) and Strictly Confidential (only specifically authorised individuals). Names vary, but the principle is the same.

Does GDPR require data classification?

GDPR does not mention data classification directly, but requires appropriate technical and organisational measures based on risk. In practice, data classification is a prerequisite for assessing risk and choosing the right level of protection.

How do you get started with data classification?

Start by defining classification levels and associated handling rules. Then map your most important data sources and assign levels. Use technical tools for automated classification, and train employees to label data correctly.

Can data classification be automated?

Yes, many DLP tools and data security platforms can automatically scan and classify data based on content, metadata and context. Automation reduces the risk of errors and makes it possible to handle large data volumes.