For some, the idea of data classification is a bureaucratic checklist handed done by managers and lawmakers of recently. It is one more task to be done. An extreme attitude to be sure but one encountered by data privacy experts continually. Rather than viewing it as such, it needs to be viewed as an essential part of running a successful business. Data classification can then be a business enabler rather than a hindrance it is commonly viewed as.
In a Nutshell
At its simplest, the concept will determine how an enterprise will classify the data it handles daily. Not all data is equal and accessing it, and importantly who accesses it, is of vital importance. Important intellectual property and data of high value will be classified differently from press releases as an example. Due to the importance of the intellectual property access will be restricted, or at least should be, to the fewest possible employees. The opposite of the case for press releases that will be distributed to members of the public. This is a simple working definition of data classification, but one that shows the importance of it.
The above paragraph alluded to an important takeaway in that all the data needs to be classified, this needs to be done by someone with a comprehensive knowledge of the data handled by the enterprise as well as the specific needs of the enterprise. Typically this means executives are often the best placed to drive data classification policies while the IT department more often than not will implement the policy.
There are several resources online as well as companies that specialize in the actual classification of data. The simple method is to place data within high, medium, and low sensitivity classifications. While seeming obvious and will work for smaller enterprises where data ownership is clear cut, often a more comprehensive strategy needs to be developed for larger enterprises. Here again, data can be classified as public, private, and restricted by several factors including content, creator, location, and application need to be considered. This method is often termed as a context approach to classification but other approaches exist including user-defined and content-based classification. The approach chosen will vary from organization to organization and is certainly not a one size fits all scenario.
To conclude, as mentioned above it is also lawmakers that dictate data classification to a certain extent with the signing into law of data privacy laws like GDPR. For some security organizations, these laws have created a lot of business and major market acquisitions are not uncommon for firms wanting a specialized company to bolster data privacy and compliance sectors of the business. Regardless of the market created by these laws for enterprises, this meant that certain types of data received legal protections requiring those handling the data to apply more stringent security measures. This requires a data classification policy that is per these laws. Now, these laws have a strong bearing on how data is classified especially for those wanting to avoid the massive fines non-compliance can bring.