Get the scoop on data classification and GDPR before you’re too late

Do you need to adhere to the General Data Protection Regulation (GDPR)? As the video below, shows there are a few things you need to establish in order to achieve compliance.

Data classification is an important part of the foundation needed for auditing and reviewing your data as well as establishing an organization wide awareness of GDPR implications and mitigation. What if GDPR is not a concern to your organization? Some would argue that it  is, but regardless, I believe data classification is still a recommended project every organization should complete. Why? Data classification helps to:

Data classification benefits

  • Identify sensitive areas your organization needs to focus on
  • Determine the greatest risks to mitigate for
  • Create a common knowledge within the organization on how specific data should be acquired, maintained, and disseminated
  • Raise end user awareness on data and information security
  • Potentially reduce storage costs by getting rid of redundant and obsolete data
  • Better support information security procedures
  • Enable employees to become more security focused

As Forrester Research once wrote, “security and risk professionals must start from data classification to build their data protection strategy”, because if you don’t know what you have, then you don’t know what to protect and how to protect it.

data classification considerations

Data classification considerations

Classifying your data benefits from a structured approach and needs to take into account the following:

  • Regulatory requirements (GDPR – of course, HIPPA, BASEL, PIPA, FIPPA, etc.)
  • Strategic or proprietary worth
  • Organization specific policies
  • Ethical and privacy considerations
  • Contractual agreements

Most organizations classify the data according to its sensitivity level, but according to  Forrester Research’s How Dirty Is Your Data? Strategic Plan: The Customer Trust And Privacy Playbook Fatemeh Khatibloo May 14, 208, your data should be evaluated across three dimensions:

  1. Identifiability: how easily can this data be used to identify an individual?
  2. Sensitivity: how much damage could be done if this data reached the wrong hands?
  3.  Scarcity: how readily available is this data?

 

Based on this, I would argue that data and information can be classified into 3 main groups:

1. Public

Definition: Data and information that may be freely released to the public

Examples: 

  • Information posted on public websites
  • Press releases
  • Research publications
  • Product data sheets
  • Job postings
  • Business contact information

Considerations:

  • Little or no controls are required to protect the confidentiality of public data
  • Minor or no impact of unauthorized data disclosure

2. Sensitive

Definition: Data and information that is not protected by law or industry regulations

Examples: 

  • Financial information
  • Restricted circulation library journals
  • Medical or research information of a non-personal nature
  • Strategic planning documents
  • Emails or documents that do not include confidential data
  • Employee handbooks

Considerations:

  • Most of this data is for internal use only
  • A reasonable level of security controls should be implemented and applied to this data

3. Confidential

Definition: Data and information that is protected by law, industry or government regulation, or confidentiality and contractual agreements from unauthorized access, use or destruction

Examples: 

  • Health record information
  • Biometric data
  • Payment Card Industry information (credit card numbers, names, pins, expiry dates)
  • Personal contact data
  • Customer database
  • Bank account information
  • Student IDs and grades
  • Authentication data

Considerations:

  • Notice will need to be provided to the individual if information is inappropriately accessed
  • Unauthorized access might need to be reported to external bodies such as the government
  • A high level of security controls should be implemented and applied to this data
  • Some organizations choose to split this category into 2: confidential data and top secret data; Top secret data would include things such as trade secrets or government classified information

 

Examples of data classifications from other organizations

 

Depending on your industry you might define these classes differently and you might have more groups or even subgroups. What different classes does your organization use? Have you classified your data as a foundation step for ensuring GDPR compliance?

%d bloggers like this: