Enabling Privacy Compliance through Information Classification

With the introduction of new generation privacy and data protection laws, including our GDPR, the need for personal data classification towards compliancy is an absolute must. The requirement to be proactive is not only a feature of the GDPR, it can also be found in other privacy frameworks around the world like CPBR for all APEC countries.

Thus, we have our newly introduced information classification policy, privacy classification policy, but how do we put those into practice? The GDPR, article 30, states clearly that a registry of processing activities needs to be kept up-to-date at all times. As an organization you should be fully aware of all the personal information you handle, where it is kept and the risks associated with that information before deciding what steps to take. Steps that are limited with the restrictions that the new GDPR poses upon us, data minimization, usage limitation, disclosure limitations, openness, accountability, data subject rights and many more implications.

This is where information classification comes in. Information classification, according to the level of harm that unauthorized disclosure could have on the organization. Each level of classification requires an appropriate level of security controls and privacy objectives to ensure the availability, confidentiality, integrity and trust of our information assets.

The best way to apply the correct information classification controls is for the author of the information to classify that information, because the way that information is handled, moved, stored within the organization will depend on their classification.

The international standard ISO27001 defines procedures for labeling and classifying information, also known as protective marking. These markings label the level of sensitivity of information to the people that will be handling that information. Four levels of classification have been assigned, but more levels may be used depending on the information classification policy handled within your organization.

Thus, in order to achieve the so-called GDPR compliancy, information classification is:

  • To ensure appropriate control of confidential and sensitive information as stipulated in Art. 5 principles relating to processing of personal data.
  • Classifying or labeling information with VISUAL and metadata tags to highlight any handling requirements.
  • Educating users about the sensitivity of information and the information classification policy in place.
  • To enable quick search, store and retrieve information based on metadata and classification.
  • To orchestrate automated information retention and archiving.

The sheer volume of structured, but mostly unstructured information within our organization makes it practically impossible to rely only on those processes and people, and as such a system of automation for identification, managing, controlling, enforcing rules and policies needs to be put in place.