What Is Data Classification?
Data classification is the process of organizing structured and unstructured data into predefined categories that represent different types of data.
Data classification helps you understand the type and location of organizational data. This enables risk management, compliance and legal discovery, and lets you apply appropriate security measures to data according to its sensitivity. Data classification also improves user productivity and decision-making.
Another important impact of data classification is cost reduction—classifying data reduces storage costs by identifying duplicate data that can be deleted, or moving low-importance or infrequently accessed data to lower cost storage tiers.
In this article:
Data Classification Examples by Type of Data
Public data classification means that when information is stored or used, it can be published and shared without security controls.
Common examples of public data include: first and last names, company names, dates of birth, job descriptions, the content of press releases, and license plate numbers.
Private data is not intended for the public, but does not require high security. Nevertheless, it is prudent to protect private data from public access to protect its integrity, and prevent malicious parties from making use of it in combination with other data. Sharing, destroying or modifying private data carries some risk to the organization or individual.
Common examples of private data include: personal contact information such as phone numbers, text from messaging applications like Slack or WhatsApp, employee ID numbers, research data, recordings of non-sensitive conversations.
Internal data is information used internally by an organization, which requires some protection. Unintended exposure of this data can have a detrimental effect on a company.
Examples of internal data include: company catalogs, employee handbooks, business plans, a corporate Internet, email messages, URLs and IPs of internal systems.
Confidential data requires protection to ensure it remains within the organization. There may be legal restrictions for handling this data and disclosure could result in legal or financial penalties and harm business operations and reputation.
Examples of confidential data include: company data such as contracts or marketing plans and sensitive personal information such as ID card and Social Security numbers, credit card information (i.e., account data, card numbers, PINs), medical records and insurance provider information, biometric identifiers, financial records, and employee certification license numbers.
Restricted data is highly sensitive information that requires strict controls to ensure need-to-know access. Exposure of this data both within and outside of the organization could result in significant legal or financial consequences to the organization.
Examples of restricted data include: information covered by a confidentiality agreement, intellectual property (IP) and trade secrets, personally identifiable information (PII), protected health information (PHI), tax-related data, and cardholder data.
Related content: Read our guide to data classification types
Data Classification Policy Examples
Organizations use data classification policies to organize their stored data according to sensitivity levels. These policies provide a comprehensive plan to ensure the correct handling of data and minimize risk—they identify sensitive data and establish a framework for protecting it, including the rules, procedures, and processes required for each category.
Organizations must identify the various types of data they hold, determine the value of all information, evaluate the risks associated with the data, and establish guidelines for handling each type of data to reduce and mitigate threats. They can then ensure the appropriate level of protection for each data class. Data classification policies also help organizations avoid wasting resources to protect non-sensitive data that doesn’t carry significant risk.
Related content: Read our guide to data classification policy
Here are two examples of companies benefiting from a data classification policy:
Example 1: Company acquisition
When a large enterprise acquires a smaller company, it enters a short due diligence period and must demonstrate its value and viability. The company under review must list all its assets and liabilities. The larger company can then assess how the company it is acquiring manages risk.
A clear data classification policy ensures that employees can easily access all the information they need and understand how data is classified and stored. An efficient data classification system makes it easier to locate important data and helps reduce risks and liability, increasing the company’s value and enabling a smooth acquisition.
Example 2: Healthcare company
If a company holds confidential patient data, it must comply with HIPAA security standards. Regulation authorities may request evidence of compliance and assess the company’s data protection processes.
A data classification policy enables the company to demonstrate how it classifies personal patient information (i.e., as sensitive) and provides the highest level of security for this data. The staff file all evidence according to the classification policy, making it easily accessible for regulators and auditors. Authorities can view this evidence proving the company takes data security seriously, protecting the company from the reputational damage and legal or financial penalties resulting from non-compliance with HIPAA.
Data Classification with Satori
Satori provides a different approach to data classification. With Satori, data is continuously discovered and classified, instead of performing ad-hoc scans.