Data Classification
What is Data Classification?
Data ClassificationThe process of labeling data by sensitivity and value so that the right protection, handling, and retention controls can be applied consistently.
Data classification assigns labels (for example public, internal, confidential, restricted) to information based on regulatory requirements, business impact, and contractual obligations. Classifications drive downstream controls such as encryption, access management, DLP rules, retention schedules, and incident-response severity. Programs typically combine an authoritative policy, a labeling taxonomy, training, and tooling that supports user-driven, automated, or hybrid tagging in Microsoft 365, Google Workspace, or data platforms. Effective classification is anchored in a data inventory and a record of processing activities aligned to GDPR Article 30, ISO/IEC 27001 Annex A.5.12 and NIST SP 800-60, ensuring sensitive data is identified, tracked, and protected throughout its lifecycle.
● Examples
- 01
Tagging a contract as "Confidential — Legal" so that DLP blocks external sharing without approval.
- 02
Auto-classifying files containing health data as "Restricted" in a cloud storage bucket.
● Frequently asked questions
What is Data Classification?
The process of labeling data by sensitivity and value so that the right protection, handling, and retention controls can be applied consistently. It belongs to the Privacy & Data Protection category of cybersecurity.
What does Data Classification mean?
The process of labeling data by sensitivity and value so that the right protection, handling, and retention controls can be applied consistently.
How does Data Classification work?
Data classification assigns labels (for example public, internal, confidential, restricted) to information based on regulatory requirements, business impact, and contractual obligations. Classifications drive downstream controls such as encryption, access management, DLP rules, retention schedules, and incident-response severity. Programs typically combine an authoritative policy, a labeling taxonomy, training, and tooling that supports user-driven, automated, or hybrid tagging in Microsoft 365, Google Workspace, or data platforms. Effective classification is anchored in a data inventory and a record of processing activities aligned to GDPR Article 30, ISO/IEC 27001 Annex A.5.12 and NIST SP 800-60, ensuring sensitive data is identified, tracked, and protected throughout its lifecycle.
How do you defend against Data Classification?
Defences for Data Classification typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Data Classification?
Common alternative names include: Information Classification, Data Labeling.
● Related terms
- privacy№ 818
Personally Identifiable Information (PII)
Any data that can identify a specific individual on its own or when combined with other information, such as names, identifiers, or biometric records.
- privacy№ 278
Data Loss Prevention (DLP)
A set of technologies and policies that detect and block unauthorized exfiltration of sensitive data across endpoints, networks, email, and cloud services.
- privacy№ 280
Data Minimization
A privacy principle requiring organizations to collect, process, and retain only the personal data that is strictly necessary for a defined, lawful purpose.
- privacy№ 284
Data Retention
The policies and controls that define how long different categories of data are kept and when they are securely deleted, archived, or anonymized.
- privacy№ 279
Data Masking
Replacing sensitive data with realistic but fictitious values so that downstream users, applications, or environments can use the data without exposing the originals.
- compliance№ 440
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
● See also
- № 856Privacy by Design
- № 857Privacy Impact Assessment (PIA)
- № 283Data Residency
- № 285Data Sovereignty
- № 210Consent Management
- № 717Need-to-Know Principle