What Is GDPR Data Classification?

In 2019, First American Financial Corp experienced a massive data leak with the social security numbers, names, and account numbers of over 800,000 customers. The worst part? This sensitive data had been sitting unprotected and freely available for more than a decade. Such an embarrassing mistake wouldn’t have happened under GDPR data classification rules.

What Is Data Classification in GDPR?

The purpose of GDPR data classification categories is to help your organization identify what types of data you process, how long you store it, how you use it, and who can access it. The classification process involves separating records into categories, usually by data security level or purpose. To be GDPR compliant, you need to create a detailed classification schema and ensure the appropriate cybersecurity controls for sensitive data.

Common Types of Business Data

It’s easy to underestimate just how much data your company handles regularly:

• Personally identifiable information: Any data that can reasonably be used to identify someone, including names, addresses, and phone numbers
• Employee data: Names, social security numbers, bank account details, and employment records of your staff
• Customer information: Credit card numbers, shipping addresses, purchase histories, account numbers, and authentication data
• Company records: Internal memos, financial records, bank account statements, tax documents, legal records, contracts, etc.
• Trade secrets: Proprietary data, research and development projects, confidential emails, client lists, etc.

GDPR isn’t the only compliance framework with rules on data classification. HIPAA regulations dictate how healthcare companies handle protected health information, PCI DSS requires retailers to safeguard cardholder data, and NIST 800-171 has strict requirements for controlled unclassified information.

Data Sensitivity Categories

Large organizations generally use four categories to classify data:

1. Public (Low Risk): Data that is publicly available is not sensitive and doesn’t require any special protection. Examples include blog articles, website content, and company contact information.
2. Private (Moderate Risk): Your company’s private data is for employee use only, such as training manuals and everyday emails or memos. This data requires some protection, but a leak doesn’t have any serious repercussions.
3. Confidential (High Risk): Contracts, financial records, purchase orders, invoices, and client emails all have a bigger impact on your company’s operations. Only authorized employees and departments should have access to these records.
4. Restricted (High Risk): Data that is restricted must be protected at all costs from cyberattacks, unauthorized access, and accidental loss. Examples of restricted data include proprietary secrets, user passwords, administrator accounts, and other records that would severely damage your operations if stolen.

Classifying data by sensitivity helps you create stronger cybersecurity, reducing the risk of employees accidentally storing confidential information in poorly protected areas.

What Are the GDPR Data Classification Categories?

While GDPR does not mandate a specific classification policy, it requires organizations to categorize and protect data appropriately based on sensitivity and risk. There are several categories of data.

Personal Data

Under GDPR, personal data refers to all information that can directly or indirectly identify an individual. Direct personal data includes names, ID numbers, telephones, credit cards, and anything else that ties to a specific person in the EU.

Even someone’s Amazon or Netflix account number would be personal data for those companies and any advertising partners. With a few clicks, the individual’s real name and payment information are available.

Special Categories of Personal Data

Your business must take extra precautions with especially sensitive types of data. In many cases, the GDPR explicitly prohibits processing special personal data categories:

• Political viewpoints
• Religious affiliation or beliefs
• Race or ethnic origin
• Sexual orientation
• Union membership
• Biometric data (e.g., fingerprints, iris scans, facial recognition, etc.)

Health data is also considered a special data category under GDPR, but processing it is allowed for health insurers and healthcare professionals. These companies still need to get appropriate consent from patients.

Anonymous Data

GDPR doesn’t apply to truly anonymous data. Counting the total website visitors to your site or the number of shoppers in your store doesn’t require you to get consent for processing.

Some organizations (researchers, especially) take the time to completely anonymize data. They get rid of personal identifiers, ending up only with groups of individuals (e.g., “25% of the men surveyed chose product B”).

Pseudonymized Data

Some businesses replace PII with pseudonyms for privacy reasons. For example, instead of storing a customer’s name as “Richard White,” the company could use “Client34120094.” Encryption is another type of pseudonymization.

This process is good for cybersecurity, but it doesn’t usually eliminate GDPR requirements. Why? If your company still has the “key” to unlock the real data, then encryption is only a protective layer. The real personal data is still there underneath.

How Can Your Business Comply With GDPR Data Classification Requirements?

Data classification plays an integral role in GDPR compliance.

1. Information Audit

Before you can properly protect PII, you need to know what data you have and where it’s located. This requires a thorough assessment of all company records. Automation tools such as Compyl are a huge help in streamlining the process.

2. Data Protection Impact Assessment

To accurately categorize personal data by sensitivity, you have to carry out a privacy impact assessment. This internal risk assessment analyzes which types of data would have the largest impact on data subjects and what information is most vulnerable to cyberattacks.

3. Classification

At this point, your organization is ready to classify its data. Create “buckets” for low-risk, medium-risk, and high-risk data. Any GDPR special data categories must always go in the high-risk data classification and receive additional cybersecurity protections.

4. Additional Classifications

Once you have your data sensitivity categories in place, organize the data into other “buckets” based on your processing and GDPR compliance needs. For example, sorting personal information by data subject makes it easier to comply quickly with obligatory deletion requests and information requests.

5. List of Processing Activities

Data classification is an ongoing process. GDPR requires companies to maintain an accurate list of all data types, available to inspectors on request. Keep track of who, what, where, when, and why for all PII.

Simplify GDPR Data Classification Process

GDPR data classification requirements can seem overwhelming, especially for large organizations with millions of records. Automation platforms such as Compyl are practically essential for efficiently, accurately, and cost-effectively managing the process. Contact us to see why you can trust Compyl for data classification and GDPR compliance.