DAT-001 Data Classification Scheme
Description
A documented data classification scheme exists that categorises all information by sensitivity level (e.g. Public, Internal, Confidential, Restricted). All information assets are classified at creation or ingestion, and handling controls are proportionate to the assigned classification.
Rationale
Classification is the prerequisite for all other data protection controls. Without it, encryption strength, access scoping, retention periods and transfer rules cannot be applied proportionately.
Framework Mappings (6)
| DSP-01 | Security and Privacy Policy and Procedures | partial |
| DSP-04 | Data Classification | full |
| GDPR-Art.5.1c | Data Minimisation | partial |
| 5.12 | Classification of information | full |
| 5.13 | Labelling of information | partial |
| RA-2 | Security Categorization | full |
Evidence (2)
Data classification policy defining sensitivity tiers, their criteria, and handling requirements for each tier across storage, transmission, sharing and disposal.
Example: Data Classification Policy v2.1 (Confluence / Google Drive), approved by DPO and CISO, defining Public / Internal / Confidential / Restricted tiers with explicit handling rules per tier
Test: Request the data classification policy. Verify: (1) defines at least 3 distinct sensitivity tiers with unambiguous criteria for each, (2) specifies handling requirements for storage, transmission, sharing and disposal per tier, (3) document is approved by a named owner and dated within the last 12 months, (4) policy is accessible to all staff.
Data inventory or asset register showing each data asset classified against the published sensitivity tiers.
Example: Data Asset Register (Notion / spreadsheet), listing data stores, classification tier assigned, date last reviewed, and responsible data owner — exported at audit date
Test: Request the data asset register. Verify: (1) every data store or data category has a classification tier assigned, (2) at least one asset per tier is present (confirming the scheme is in active use), (3) each entry includes a last-reviewed date within the last 12 months, (4) at least one asset is classified Confidential or Restricted.
Questions (2)
Does your organisation maintain a documented data classification policy that defines sensitivity tiers and handling requirements for each tier?
The policy should define at least three tiers (e.g. Public / Internal / Confidential / Restricted) and specify handling rules for storage, transmission, sharing and disposal at each tier. It must be approved by a named owner and reviewed within the last 12 months.
How are data assets assigned a classification tier?
Automated tooling provides the most reliable coverage at scale. Manual classification by data owners is acceptable for smaller or less dynamic data sets, provided a data inventory confirms consistent application.