Data Classification

Data classification is the systematic process of categorizing organizational information based on sensitivity, business criticality, regulatory requirements, and the potential impact of unauthorized disclosure or loss - without clear classification, organizations treat all data equally (wasting resources by applying maximum controls to trivial data or failing to adequately protect highly sensitive data), face difficulties in prioritizing security investments, and struggle to comply with regulations such as LGPD, GDPR, and PCI-DSS that require the identification and differentiated protection of personal and sensitive data. A typical classification framework uses 4-5 hierarchical levels: Public (information already publicly disclosed or approved for disclosure, with no impact if leaked, examples include press releases, marketing materials, public website content), Internal/Internal Use (information for use within the organization, not intended for an external audience but whose limited disclosure would not cause significant harm, such as internal policies, org charts, operational procedures), Confidential (sensitive information whose unauthorized disclosure may cause moderate financial or reputational harm to the organization, requiring protection through access controls and encryption at rest, examples include strategic plans, pre-release financial data, non-public customer information, proprietary source code), Restricted/Highly Confidential (extremely sensitive information whose exposure would cause severe harm, requiring the maximum level of protection with encryption at rest and in transit, MFA for access, complete audit logging, examples include critical intellectual property, sensitive personal data under LGPD, credit card information under PCI-DSS, health data under HIPAA, trade secrets, cryptographic keys, privileged credentials). Each classification level has associated mandatory controls defining how data must be stored (storage requirements), transmitted (encryption standards), accessed (authentication and authorization requirements), retained (retention periods), and destroyed (secure deletion methods) at the end of its useful life.

Classification and Ownership Process

Effective classification requires establishing clear data ownership where the data owner (typically a business unit manager or process owner) is responsible for determining the appropriate classification based on business context, the potential impact of disclosure, and applicable regulatory requirements - IT can provide guidance and tooling but the final decision rests with the owner who understands the business value and sensitivity of the data. The process begins with data discovery and inventory identifying where data resides (file shares, databases, SharePoint, cloud storage, employee laptops), what types of data exist (PII, financial, health, IP), who creates and uses it, and data flows across systems. The data owner then classifies based on the organization's classification schema, applying labels/tags that can be metadata tags (automated), visual markings (headers/footers on documents), or filesystem attributes. Classification must consider: Aggregation risk where the combination of multiple Low sensitivity data items can create a High sensitivity dataset (a list of names is Public but name + Tax ID + address + income is Confidential), Regulatory requirements that may force a minimum classification (data under LGPD is automatically Confidential at a minimum even if the business considers it Low risk), Contractual obligations such as NDAs that may elevate the classification of third-party data, and Temporal aspects where classification may change over time (financial data is Restricted before an earnings release, becomes Public after disclosure). Reclassification must be allowed when business circumstances change, but downgrading a classification level requires approval and justification documentation for an audit trail.

Technical Controls by Classification Level

Each classification level must have clearly defined mandatory technical controls enforced via policies and technology. For Public data: no special security requirements, can be stored in any location, transmitted via unencrypted email, accessible without authentication. For Internal data: access restricted to employees and authorized contractors via network access controls, storage in corporate file shares or approved cloud storage with access logging, transmission via corporate email (TLS in transit), no encryption at rest required but regular backup mandatory. For Confidential data: access control based on role and need-to-know via an IAM system, encryption at rest using AES-256 for databases and file storage, encryption in transit via TLS 1.2 plus for external transmissions, MFA for remote access, audit logging of all access and modifications with log retention for 1 year minimum, DLP (Data Loss Prevention) policies to prevent unauthorized email or upload, external sharing requires encryption and password protection, encrypted backup with regular restore tests, and a specific retention period followed by secure deletion. For Restricted data: same controls as Confidential plus hardware security modules (HSM) for key management, network segmentation isolating systems with Restricted data, mandatory MFA for all access including internal, enhanced monitoring with real-time alerting of anomalies, external sharing prohibited or extremely limited with legal approval, encryption keys managed separately from encrypted data, background checks for personnel with access, and physical security controls for hardware storing the data. Control enforcement uses a combination of technology (automated encryption, DLP, access controls), policy (acceptable use policies, classification guidelines), and training (employee awareness of proper handling).

Labeling, Tagging and Automated Enforcement

Manual classification where the user selects a classification label for each document is error-prone, inconsistent, and not scalable - automation is essential for effective data classification in modern organizations with terabytes of data created daily. Content-based classification uses pattern matching, regular expressions, and machine learning to automatically classify data based on content: it detects credit card numbers (validating via the Luhn algorithm), Tax ID patterns, email addresses, health record numbers, and keywords indicative of sensitive information, classifying documents containing these patterns as Confidential or higher. Context-based classification considers metadata such as author (documents created by the CFO automatically Confidential), location (everything in the "Board Materials" folder is Confidential), and application (records in the HR database are Confidential because they contain PII). User-based classification prompts users to select a classification when they save a document or send an email, with intelligent defaults based on context and mandatory review before downgrade. Technologies: Microsoft Information Protection (MIP) integrates with Office 365 applying labels that persist with the document (embedded metadata), Azure Information Protection extends to on-prem file shares and cloud storage, Symantec DLP and Forcepoint DLP perform content inspection and classification, Google Cloud DLP API automatically detects and classifies sensitive data in GCP, and Varonis and Netwrix classify legacy file shares via scanning. Labels must trigger automated controls: a document labeled Confidential automatically encrypts when saved, emails with Confidential attachments require confirmation before sending externally, and uploading Restricted data to non-approved cloud storage is blocked. Metadata tagging enables search and discovery of data by classification, facilitating compliance reporting (how many Confidential documents do we have, where are they), data minimization (delete Confidential data after the retention period), and incident response (if an S3 bucket leaks, quickly identify the impact based on the classification of the data).

Data Lifecycle and Retention

Data has a lifecycle from creation to eventual destruction, and classification informs the appropriate controls at each stage of that lifecycle. Creation: classification must be determined at the moment of creation (via user prompt, automatic detection, or inherited from a template/source), with controls applied immediately. Storage: data must reside in approved storage locations based on classification (Restricted only in an on-prem data center with physical security, Confidential allows approved cloud providers with encryption, Internal can use any corporate storage), with encryption, backup, and access controls matching the classification level. Use/Processing: access during use requires appropriate authentication/authorization, logging of who accessed when, and DLP prevention of unauthorized sharing or exfiltration. Sharing: external sharing policies based on classification (Public freely shareable, Internal only via secure methods with NDAs, Confidential extremely restricted with legal approval, Restricted never or only via secure data rooms), and internal sharing via the need-to-know principle. Archival: data not actively used but retained for compliance or business needs moves to lower-cost archive storage while maintaining the same security controls, with a retention schedule defined by classification and regulatory requirements (LGPD, SOX, tax laws). Destruction: at the end of the retention period or when the business need ends, secure deletion methods based on classification (Public simple delete, Confidential overwrite with random data or crypto-shredding via key destruction, Restricted physical destruction of media via a certified shredder with a certificate of destruction). Implement automated retention policies in SharePoint, Google Drive, and file shares that automatically delete or archive data after the retention period expires, with legal hold capability to suspend deletion during litigation.