Home Data Protection DPDPB and GDPR: Data Classification

DPDPB and GDPR: Data Classification

by delta
0 comment


The process of organizing and classifying data according to its level of sensitivity and amount of security required is known as data classification. A key component of data protection and privacy laws like the General Data Protection Regulation (GDPR) and other data protection laws around the world is data classification.

Personal data is divided into two groups under the GDPR.

  • General Personal Data: This category applies to information that is generally processed without further notice and is not particularly sensitive. Names, addresses and email addresses are just examples.
  • Special categories of personal data: These are categories of data that are more sensitive and need to be protected. Examples include race or ethnic origin, political views, and health information. Certain restrictions and requirements apply to special categories of personal data processing.

Similar rules regarding the classification of data are contained in various data protection laws around the world. For example, the U.S. Health Insurance Portability and Accountability Act (HIPAA) requires medical data to be classified as protected health information (PHI) and subject to strict privacy and security standards.

B. How do the GDPR and DPDPB bills look at data classification?

Data classification is covered by both the General Data Protection Regulation (GDPR) and the Digital Personal Data Protection Bill of 2022 (DPDPB).

General personal data and specific categories of personal data are two categories of personal data under the GDPR. Special categories of personal data refer to data deemed sensitive and requiring a higher level of protection. General personal data, on the other hand, refers to data that is not particularly sensitive and can be processed for most purposes without specific consent.

A similar classification system for personal data is proposed in the Digital Personal Data Protection Bill 2022, which provides for several categories of personal data based on sensitivity and level of protection required. The bill provides for the classification of sensitive personal data. This includes, inter alia, financial data, health data and biometric data, where personal data is defined as any information that can be used to identify a specific individual.

C. Classification of data and its importance

  • Why Data Classification Matters

Data classification helps organizations better understand the types of information they process and store. Thanks to the information gleaned from data classification, organizations can take the necessary precautions to preserve data based on its value and sensitivity.

By establishing an appropriate level of protection for all information, classification can facilitate regulatory compliance and save costs. By classifying data, businesses can focus resources on encrypting and enhancing security of valuable information. You can manage your data with less risk using low-cost techniques.

  • GDPR and data classification

In addition to classifying data as “personal data” under the GDPR, we may further classify data under “special categories”. This includes processing genetic and biometric data, as well as data relating to racial or ethnic origin, political beliefs, trade union membership and others. 

  • DPDP bill and data classification

There are no longer classifications such as sensitive data or special personal data that existed in previous legislation. Instead, the DPDP bill identifies certain data as personal data that must be controlled. In addition, only “digital” personal data should be controlled. The justification for this is found in Section 4 of the DPDP bill.

  • Common requirements for data classification

Many frameworks and legal regulations have specific requirements that encourage organizations to classify their data. This is not an exhaustive list of requirements and laws, but they are very general. Please note that these requirements vary depending on the type of data your organization collects, uses, stores, processes, or transmits.

  • SOC2: According to SOC 2 Trust Services Criteria, service companies that include confidentiality categories in their audits must demonstrate that they are aware of and retain confidential information in order to meet the entity’s confidentiality-related objectives.
  • HIPAA: Protected Health Information (PHI) is considered high-risk information. As a result, the HIPAA Security Rules mandate the implementation of administrative safeguards to ensure the confidentiality, integrity and availability of her PHI by all covered organizations and business partners. In addition, the HIPAA Privacy Rule limits how PHI is used and disclosed, requiring both covered organizations and business partners to create systems for classifying the information they collect, use, retain, or transmit. I am obliged to do so.
  • PCI: Entities must “classify data so that data sensitivity can be assessed” to comply with PCI DSS Requirement 9.6.1.
  • GDPR: To comply with the law, organizations that control personal data of EU citizens must classify the data categories they collect. Additionally, the GDPR designates some data, such as race, ethnic origin, political beliefs, biometric data, and health data, as “special” data, subject to higher standards of protection. Therefore, organizations must not only be aware of the different types of data they store, but also be able to classify it as public, proprietary, or confidential.

What classification procedures does your company have in place for data? Do you need help identifying the categories of data you collect, use, store, process, or transmit? If it’s a priority, classify your data accurately.

  • Data classification and CCPA

Depending on the category, the word “information” can be either objective or subjective. Blood test results and other medical data are examples of objective information. Banks and insurance companies typically collect subjective data.

A recent amendment added the word “substantially” to CCPA. This explanation is useful in medical research, where significant datasets are anonymized.

Some of the prominent identifiers are:

  • internal
  • Finance
  • historic
  • external

Updating your privacy is easy once you understand it. Once they’re ingrained in your behavior, they can help protect you from common fraud tactics.

You may also like

Leave a Comment


Delta-Compliance.com is a premier news website that provides in-depth coverage of the latest developments in finance, startups, compliance, business, science, and job markets.

Editors' Picks

Latest Posts

This Website is operated by the Company DELTA Data Protection & Compliance, Inc., located in Lewes, DE 19958, Delaware, USA.
All feedback, comments, notices of copyright infringement claims or requests for technical support, and other communications relating to this website should be directed to: info@delta-compliance.com. The imprint also applies to the social media profiles of DELTA Data Protection & Compliance.

Copyright ©️ 2023  Delta Compliance. All Rights Reserved

Newsletter Signup

Subscribe to our weekly newsletter below and never miss the latest product or an exclusive offer.