4 min read


In today’s digital age, data protection is not only a legal obligation but a crucial activity for organizational security, continuity, and ultimately profitability. Entities are collecting greater volumes of data every day, which makes organizing and protecting it an increasingly complex task.

In addition, new risks are also emerging from the cloud-first adoption model, where data is being migrated to the cloud, processed and stored; this requires proper classification. Before adopting the cloud, data classification is a crucial step that should be implemented in order to understand the criticality and ownership of data and protect it accordingly. Moreover, complying with cloud and privacy regulatory requirements is key to ensure that organizational data, especially personal information of data subjects, are governed and secured according to their classification levels.

Due to the growing importance of data, it is key for organizations to establish new roles that were not traditionally part of their business model, such as data owners, custodians, collectors, and processors.

Key regulations and compliance frameworks seek to handle and secure sharing of sensitive data, such as personally identifiable information (PII), protected health information (PHI) and financial data, among others.

The General Data Protection Regulation (GDPR) has been the most discussed among existing frameworks. In addition to the GDPR, other standards present solutions and mitigation plans to tackle risks and implications for organizations. For example, the UAE Federal Law no. 2 of 2019 concerns the healthcare sector and the protection of PHIs. Moreover, Abu Dhabi Data Management Standards (ADDMS) oversee the government sector and Abu Dhabi Global Market (ADGM) Data Protection Regulations oversees the financial sector in Abu Dhabi.

How can organizations mitigate this growing risk? The most important step is data classification. 

What is data classification?

Data classification is the practice of recognizing the appropriate level of security and privacy protection to be applied on data types or data sets. This process also includes identifying the degree to which it can be shared internally and externally.

If data is not classified correctly, prioritizing and identifying the right protection plan is nearly impossible. 

data classification

How should one approach data classification?

Step 1: Scope identification

  1. Understand the organizational structure, including the departments that collect, store and process personal and sensitive information.
  2. Use a top-down approach where each department head identifies (a) data steward(s) whose main responsibility is to act as a guide throughout the project. The data steward will assist in identifying the departments’ processes and the data involved.
  3. Prioritize departments based on the qualitative and quantitative nature of the data they tend to collect, store and process based on input from the data stewards.