Data Classification – the 'User driven' journey

In this ‘Data’ driven economy, data is a key asset for business and protecting that asset is becoming an obvious need and not a choice anymore. But that does not mean every data needs to be protected with equal importance. This very philosophy commences a data protection journey for the organization, shifting the mindset from a ‘protect All or None’ based approach to a more ‘Risk based approach’. If we buy this Risk based approach, that necessitates the ‘Data’ to have a proper classification attached to it, something that has to be persistent with the life cycle of the ‘Data’ starting from creation till destruction/archival. With all that being said, question arises how to start or from where to start? The starting point essentially should be a well defined ‘Data Classification Policy’ which would articulate the classification taxonomy, indicative examples, the risk of unauthorized access implication around every category etc. With the policy being formulated, the implementation would definitely require some best in class technology solution. But are these enough for the organization to win the race? Of course Not. The success will ultimately depend on whether People, Process and Technology all work hand in hand, People being pivotal in the whole value chain of adoption, awareness and enforcement. If Data Classification is enforced by technology from Day 1, that can be a quick win but may create ambiguity, user confusion, culminating in a strategic failure of the overall journey. On the other hand, if it is initiated as a ‘user-driven’ journey, it will take time to mature, it will need many fold user awareness sessions but it will surely help the organization reap the riches in the long run, making Data Classification a practice. This is also fundamental … the user who creates the data (the owner/author) is the one to decide its classification and thereby doing justice to its protection. Now this can be frowned upon, especially where there is a pressing compliance obligation but we can eventually make things fall in place, starting from a user-driven approach at stage 1, recommended approach in stage 2 and automated approach in stage 3 so on and so forth. The business user, who owns or creates the data, should be empowered to know its worth.