data classification benefits types GDPR

Do you need to adhere to the General Data Protection Regulation (GDPR)? As the video below, shows there are a few things you need to establish in order to achieve compliance.

Data classification is an important part of the foundation needed for auditing and reviewing your data as well as establishing an organization wide awareness of GDPR implications and mitigation. What if GDPR is not a concern to your organization? Some would argue that it  is, but regardless, I believe data classification is still a recommended project every organization should complete. Why? Data classification helps to:

Data classification benefits

  • Identify sensitive areas your organization needs to focus on
  • Determine the greatest risks to mitigate for
  • Create a common knowledge within the organization on how specific data should be acquired, maintained, and disseminated
  • Raise end user awareness on data and information security
  • Potentially reduce storage costs by getting rid of redundant and obsolete data
  • Better support information security procedures
  • Enable employees to become more security focused

As Forrester Research once wrote, “security and risk professionals must start from data classification to build their data protection strategy”, because if you don’t know what you have, then you don’t know what to protect and how to protect it.

data classification considerations

Data classification considerations

Classifying your data benefits from a structured approach and needs to take into account the following:

  • Regulatory requirements (GDPR – of course, HIPPA, BASEL, PIPEDA, FIPPA, etc.)
  • Strategic or proprietary worth
  • Organization specific policies
  • Ethical and privacy considerations
  • Contractual agreements

Most organizations classify the data according to its sensitivity level, but according to  Forrester Research’s How Dirty Is Your Data? Strategic Plan: The Customer Trust And Privacy Playbook by Fatemeh Khatibloo May 14, 2018, your data should be evaluated across three dimensions:

  1. Identifiability: how easily can this data be used to identify an individual?
  2. Sensitivity: how much damage could be done if this data reached the wrong hands?
  3.  Scarcity: how readily available is this data?


Based on this, I would argue that data and information can be classified into 3 main groups:

1. Public

Definition: Data and information that may be freely released to the public


  • Information posted on public websites
  • Press releases
  • Research publications
  • Product data sheets
  • Job postings
  • Business contact information


  • Little or no controls are required to protect the confidentiality of public data
  • Minor or no impact of unauthorized data disclosure

2. Sensitive

Definition: Data and information that is not protected by law or industry regulations


  • Financial information
  • Restricted circulation library journals
  • Medical or research information of a non-personal nature
  • Strategic planning documents
  • Emails or documents that do not include confidential data
  • Employee handbooks


  • Most of this data is for internal use only
  • A reasonable level of security controls should be implemented and applied to this data

3. Confidential

Definition: Data and information that is protected by law, industry or government regulation, or confidentiality and contractual agreements from unauthorized access, use or destruction


  • Health record information
  • Biometric data
  • Payment Card Industry information (credit card numbers, names, pins, expiry dates)
  • Personal contact data
  • Customer database
  • Bank account information
  • Student IDs and grades
  • Authentication data


  • Notice will need to be provided to the individual if information is inappropriately accessed
  • Unauthorized access might need to be reported to external bodies such as the government
  • A high level of security controls should be implemented and applied to this data
  • Some organizations choose to split this category into 2: confidential data and top secret data; Top secret data would include things such as trade secrets or government classified information


Examples of data classifications from other organizations


Depending on your industry you might define these classes differently and you might have more groups or even subgroups. What different classes does your organization use? Have you classified your data as a foundation step for ensuring GDPR compliance?

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

About the author 

George Firican

George Firican is the Director of Data Governance and Business Intelligence at the University of British Columbia, which is ranked among the top 20 public universities in the world. His passion for data led him towards award-winning program implementations in the data governance, data quality, and business intelligence fields. Due to his desire for continuous improvement and knowledge sharing, he founded LightsOnData, a website which offers free templates, definitions, best practices, articles and other useful resources to help with data governance and data management questions and challenges. He also has over twelve years of project management and business/technical analysis experience in the higher education, fundraising, software and web development, and e-commerce industries.

You may also like:

Sowmya Kandregula


Data protection during a pandemic

Data protection during a pandemic