AlignTrust
Data Security

Data Classification

The process of categorising data by sensitivity and business value so that appropriate security controls can be applied to each category.

What Is Data Classification?

Data classification is the process of sorting and categorising your data based on its sensitivity, value, and the risk associated with its exposure. Once classified, each category receives appropriate security controls — not everything needs the same level of protection, and over-protecting low-risk data wastes resources while under-protecting high-risk data creates liability.

Why Classification Comes First

You cannot protect data you haven't identified. Organisations that skip data classification often apply security controls inconsistently — protecting some sensitive data while leaving other equally sensitive data exposed. Classification creates the map; security controls follow the map.

Typical Classification Tiers

Public: Information intended for public consumption — marketing materials, press releases, published documentation. Minimal protection required.

Internal: Information for internal use only but not highly sensitive — general business communications, internal policies. Basic access controls apply.

Confidential: Sensitive business information — financial reports, strategic plans, customer lists, employee records. Requires access controls, encryption at rest, and audit logging.

Restricted / Highly Confidential: The most sensitive data — payment card data, health records, authentication credentials, personal data under GDPR. Requires strict access controls, encryption in transit and at rest, enhanced monitoring, and documented handling procedures.

How to Classify Your Data

  1. Inventory: Identify where data lives — cloud storage, email, databases, laptops, SaaS tools
  2. Categorise: Assign each data type to a classification tier
  3. Label: Apply labels in tools like Microsoft Purview, Google Workspace DLP, or manually in file naming conventions
  4. Control: Apply appropriate access controls, encryption, and retention policies per tier
  5. Train: Ensure staff know how to handle each tier — especially what not to send over email or Slack

Data classification is a foundational requirement for GDPR, SOC 2, ISO 27001, and most cyber insurance policies.

Related Terms

EncryptionData ProtectionGDPR (General Data Protection Regulation)Compliance Framework

Related Articles

← Back to Security Glossary