Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Datenschutz & Compliance Glossary

Datenschutzklassifizierung - Schutzbedarfsfeststellung und Datenkategorien

Data classification (determination of protection requirements) categorizes data into protection classes based on its sensitivity (e.g., public, internal, confidential, strictly confidential). It forms the basis for appropriate technical and organizational measures (TOMs), DLP rules, and access controls. ISO 27001 (A.5.12), BSI IT-Grundschutz, and GDPR Art. 32 require a structured classification.

Data protection classification is the systematic process of categorizing information based on its protection requirements. Without classification, companies treat all data the same—either overprotecting it (expensive, impractical) or underprotecting it (risky). Classification provides the foundation for targeted protective measures.

Classification Models

Standard Classification Model (4 Levels):

┌────────────────────────────────────────────────────────────────────────┐
│ Level           │ Description            │ Examples                  │
├────────────────────────────────────────────────────────────────────────┤
│ PUBLIC      │ For publication     │ Website, press release, │
│ (Public)        │ approved             │ marketing materials          │
├────────────────────────────────────────────────────────────────────────┤
│ INTERNAL      │ For employees only     │ Internal guidelines,       │
│ (Internal)      │ intended                │ Manuals, organizational charts   │
├────────────────────────────────────────────────────────────────────────┤
│ CONFIDENTIAL     │ Restricted         │ Customer data, financial data,  │
│ (Confidential)  │ Designated group           │ Contracts, HR data         │
├────────────────────────────────────────────────────────────────────────┤
│ STRICT          │ Highest sensitivity,   │ Passwords, keys,      │
│ CONFIDENTIAL    │ Need-to-know principle    │ M&A information, health data│
│ (Restricted)    │                         │ Criminal relevance      │
└────────────────────────────────────────────────────────────────────────┘

BSI Risk Assessment (3 Categories):
  NORMAL:    Damage limited and manageable
  HIGH:      Damage is significant
  VERY HIGH: Damage is catastrophic or threatens existence

GDPR Data Categories (Article 9 - Special Categories):
  → Health data                (VERY HIGH)
  → Biometric data for identification (VERY HIGH)
  → Genetic data               (VERY HIGH)
  → Political opinions           (HIGH)
  → Trade union membership     (HIGH)
  → Religious or philosophical beliefs (HIGH)
  → Sexual orientation          (HIGH)
  → Racial or ethnic origin   (HIGH)
  Criminal data (Article 10): Separate regime

Classification Process

Step-by-step classification process:

Step 1: Create a data inventory
  → What data exists within the company?
  → Storage locations: File servers, databases, email, cloud, endpoints
  → Tools: Microsoft Purview Data Discovery, Spirion, Varonis
  → Result: Data catalog with source, format, owner

Step 2: Define classification criteria
  Evaluate for each data category:
  Confidentiality: What happens in the event of unauthorized disclosure?
  Integrity:     What happens in the event of unauthorized modification?
  Availability:  What happens in the event of failure/loss?

  Damage assessment:
    Financial damage → Quantify (EUR)
    Reputational damage   → Fines, loss of customers
    Legal damage  → Liability, GDPR fines
    Operational damage   → Business interruption, data loss

Step 3: Perform classification
  Automatically (DLP/discovery tools):
    → Regex rules: IBAN, SWIFT, Social Security number
    → AI-based: semantic classification
    → Metadata: file format, creation date, location

  Manual (creator responsibility):
    → Assign classification labels upon creation
    → Email: label plugin in Outlook/Gmail
    → Word/Excel: Information Protection Toolbar (Microsoft Purview)

Step 4: Apply labels
  → Visible: Watermark, header/footer in documents
  → Metadata: Invisible in file header
  → Email: "Subject: [CONFIDENTIAL] 2025 Annual Financial Statements"
  → Teams/SharePoint: Site-level classification

Step 5: Determine protection measures
  Protection class → TOM Matrix:

  PUBLIC:
    Access:      Unrestricted
    Encryption:    Optional (HTTPS)
    Backup:       Standard
    Logging:      Minimal

  INTERNAL:
    Access:      Employees only (SSO/Entra ID)
    Encryption:     In-transit (TLS) + At-rest optional
    Backup:       Daily
    Logging:      Standard

  CONFIDENTIAL:
    Access:      Need-to-know, MFA required
    Encryption:     At-rest + In-transit AES-256/TLS 1.3
    Backup:       Daily, encrypted
    Logging:      Full audit log
    DRM:          Optional Information Rights Management

  STRICTLY CONFIDENTIAL:
    Access:      Explicit access list, dual-control principle
    Encryption:     Strong encryption, key management
    Backup:       Air-gapped or HSM
    Logging:      All accesses, immutable (WORM)
    DRM:          Mandatory (no copy/print/forward)
    Transmission:  Encrypted only (never unencrypted email!)

Technical Implementation

Microsoft Purview Information Protection:

Configure sensitivity labels (PowerShell):
  Install-Module -Name ExchangeOnlineManagement
  Connect-IPPSSession

  New-Label -Name "Strictly Confidential" `
    -DisplayName "Strictly Confidential" `
    -EncryptionEnabled $true `
    -EncryptionProtectionType "Template" `
    -ContentMarkingUpHeaderEnabled $true `
    -ContentMarkingUpHeaderText "STRICTLY CONFIDENTIAL - FOR INTERNAL USE ONLY" `
    -WaterMarkingEnabled $true `
    -WaterMarkingText "CONFIDENTIAL"

Auto-Labeling Policy (detects automatically):
  New-AutoSensitivityLabelPolicy `
    -Name "GDPR-AutoLabel" `
    -Labels "Confidential" `
    -ExchangeLocation All `
    -Mode "TestWithoutNotifications"

  Automatically classified:
  → Emails/documents containing IBANs, credit cards, SSNs
  → Emails to external recipients containing financial data

Derive DLP policy (prevents exfiltration):
  → "Strictly Confidential" files must not be sent via email
  → USB block for "Confidential" and higher
  → Cloud upload only to approved services (SharePoint, Box)

---

Open-source alternative (FOSS):
  Apache Atlas:    Data governance and metadata catalog
  Apache Ranger:   Access control + DLP for Hadoop/Spark
  OpenMetadata:    Modern data catalog with classification support

Governance and Roles

Roles in Data Protection Classification:

Data Owner (Business Unit):
  → Responsible for the accuracy of the classification
  → Approves exceptions and access
  → Quarterly review of classifications

Data Custodian (IT):
  → Technical implementation of protective measures
  → Operation of DLP/IRM systems
  → Implement access rights

Data Users (Employees):
  → Assign classifications when creating data
  → Observe classifications upon receipt
  → Report incidents of misclassification

GDPR Officer (Data Protection Officer):
  → Oversee personal data classification
  → Set retention periods per category
  → Maintain the record of processing activities (Art. 30)

ISO 27001 Requirements:
  A.5.12: Classification of information
  A.5.13: Labeling of information
  A.5.14: Transfer of information
  A.8.10: Deletion of information (retention periods!)

AWARE7 Services on This Topic

ISO 27001 Beratung Datenschutz-Beratung
Back to Glossary Book a free consultation