Data classification policy: What it is and how to do it

Data classification is key to efficient storage, security and compliance. In this podcast Vigitrust’s Mathieu Gorge talks about the fundamentals of a data classification policy.

Data classification is a key concept that underlies efficient data retention, storage and the ability to meet the requirements of legal and regulatory compliance.

In this podcast, bureau chief Antony Adshead talks with the CEO of Vigitrust, Mathieu Gorge, about how a data classification policy can improve the storage of data and the key steps to go through when embarking on a data classification project.

Play now:
Download for later:

Data classification: What it is and how to do it

  • Internet Explorer: Right Click > Save Target As
  • Firefox: Right Click > Save Link As What is data classification, and how can a data classification policy help create a more efficient storage and backup regime?

Gorge: Data classification is how you take data that is being used within your organisation and how you organise that data so that the right people have access to the right data at the right time. So, there are aspects of operational efficiency, aspects of security and also aspects of basic classification.

In fact, an independent survey produced by Ipsos Reid found that 35% of small-business owners do not understand the protocols for storing and disposing of confidential data. What that means is that … they don’t really classify their data.

So, you might want to classify your data from a user-based perspective, from a security-based perspective or from an operations perspective, and the way you do this is by ensuring the right data is accessible by the right people at the right time. What are the key steps in a creating a data classification policy?

Gorge: The best thing to do is to start from a high level and to draw up ecosystem diagrams, [which] are diagrams that map out the different silos and business units within your organisation and within the wider enterprise. Once you’ve done that, you can map the data flow within each of the silos and each of the actors of your ecosystem.

So, logically from that comes a data classification, which basically takes every … type of data -- pertaining to customers, data pertaining to users, data pertaining to suppliers, etc -- and at that stage you can classify that data and apply the right levels of protection, the right levels of storage and the right levels of access.

So, again, it can be done from a security perspective, looking at the confidentiality, the integrity or the availability of the data. It could be based on where the data might reside, [within your own network, within the extended network]. Is it on a private cloud, a hybrid or public cloud, or is it on a device owned by an employee but managed by the enterprise?

And so, once you map all of this out, you can make an efficient strategy that is cost effective from the storage perspective but also very efficient from a security perspective.

There are other considerations to keep in mind, namely, legal considerations. For instance, from an e-discovery perspective or if you have to respond to a data subject access request, you really need to make sure your data is classified and that you can access that data very quickly, [which] might mean going back through your backups.

So, data classification is really at the heart of any data management strategy.

Read more on Storage management and strategy