Kickstarting Data Classification

Data Governance begins with understanding the landscape of the data you collect: what it is, and how much privacy risk it presents.

Classification is a critical first step. Start with these three steps to drive a successful data classification process.

Step 1: Collaborate & Define

Get input from teams like Legal, Data Science, and Engineering

Working with your cross-functional stakeholders, ask the following FOUR questions about each type of data that is, or might be, collected and stored:

1. What kind of data is this, and how much are we collecting?
2. Why do we need it?
3. What does it tell us about our customers and our business?
4. What would happen if this data were mishandled?

Data generally falls into one of three categories:

Data about individuals: Poses a privacy risk to specific people who would be harmed if the data were compromised

Data about things: Information that is often “mission critical,” like products, designs, etc.

Data in aggregate: Data that has been transformed to reduce privacy risk, like aggregating users based on zip code instead of storing their information uniquely

Step 2: Draft

Create an initial draft data classification based on the regulatory context from Legal and the real-world utilization from Engineering and Product stakeholders

Generally, data can be categorized into four tiers based on risk to privacy, in ascending order of privacy risk:

Public, Internal, Confidential, Restricted

Step 3: Iterate

Open the draft for key stakeholder input, including alignment and disagreement. Continue to iterate on your data classification and process as you learn more about how your organization does (and should) collect, store, and process data.

Running an objective, multi-stakeholder, cross-functional data classification process that balances needs with risk will yield a hierarchical data classification system that drives strategic decisions around privacy protections.