In today’s digital age, data protection is not only a legal obligation but a crucial activity for organizational security, continuity, and ultimately profitability. Entities are collecting greater volumes of data every day, which makes organizing and protecting it an increasingly complex task.
In addition, new risks are also emerging from the cloud-first adoption model, where data is being migrated to the cloud, processed and stored; this requires proper classification. Before adopting the cloud, data classification is a crucial step that should be implemented in order to understand the criticality and ownership of data and protect it accordingly. Moreover, complying with cloud and privacy regulatory requirements is key to ensure that organizational data, especially personal information of data subjects, are governed and secured according to their classification levels.
Due to the growing importance of data, it is key for organizations to establish new roles that were not traditionally part of their business model, such as data owners, custodians, collectors, and processors.
Key regulations and compliance frameworks seek to handle and secure sharing of sensitive data, such as personally identifiable information (PII), protected health information (PHI) and financial data, among others.
The General Data Protection Regulation (GDPR) has been the most discussed among existing frameworks. In addition to the GDPR, other standards present solutions and mitigation plans to tackle risks and implications for organizations. For example, the UAE Federal Law no. 2 of 2019 concerns the healthcare sector and the protection of PHIs. Moreover, Abu Dhabi Data Management Standards (ADDMS) oversee the government sector and Abu Dhabi Global Market (ADGM) Data Protection Regulations oversees the financial sector in Abu Dhabi.
How can organizations mitigate this growing risk? The most important step is data classification.
What is data classification?
Data classification is the practice of recognizing the appropriate level of security and privacy protection to be applied on data types or data sets. This process also includes identifying the degree to which it can be shared internally and externally.
If data is not classified correctly, prioritizing and identifying the right protection plan is nearly impossible.
How should one approach data classification?
Step 1: Scope identification
- Understand the organizational structure, including the departments that collect, store and process personal and sensitive information.
- Use a top-down approach where each department head identifies (a) data steward(s) whose main responsibility is to act as a guide throughout the project. The data steward will assist in identifying the departments’ processes and the data involved.
- Prioritize departments based on the qualitative and quantitative nature of the data they tend to collect, store and process based on input from the data stewards.
Step 2: Framework development
- Identify all data protection/data classification laws and regulations that are applicable to the region(s) and jurisdiction(s) in scope.
- Identify the organization’s data classification scheme. Classification levels can vary based by organization. For example, organizations may assign four levels of classification to further distinguish between confidential and highly confidential data, e.g. restricted, confidential, internal, public.
- Develop the organization’s data governance structure and set clear roles and responsibilities for everyone across the organization.
- Develop data classification and labeling policies and procedures.
Step 3: Data inventory creation
A data process register is an inventory of all the data that is collected, stored and processed by each department. Data may be in electronic or hard copy form and can be either structured or unstructured. Structured data is stored in a relational format, such as databases of business applications. Meanwhile unstructured data is stored in a non-relational format, such as documents or written communications, and may be stored on numerous workstations.
The data processing register contains fields such as business name, data type, data owner, business impact parameters, keywords, authorized storage location, etc.
(Optional) Step 4: Data flow diagram creation
A data flow diagram demonstrates the flow of data from different departments, applications, systems and databases across the organization and external entities. This flow should include the data involved, showcasing its actors, flows and locations.
The standard data flow consists of four blocks: process name, entity name, data storage and data flow.
Data classification is one of the key factors of data protection and data privacy. Open communication and collaboration between information technology, information security and business units are essential to enhance the value of data classification. Proper implementation assists in ensuring the correct deployment of technologies, such as data loss prevention tools, classification tools and cloud access security broker tools. It also increases the probability that money spent by organizations is used to their greatest benefit and will lead to future cost optimization. Customers are therefore more likely to trust the organization in collecting, storing, and processing their data due to the enforced data classification and protection programs.