Create a comprehensive data classification policy with clear categories, handling procedures, labeling standards, and enforcement mechanisms for organizational data.
## CONTEXT The Ponemon Institute reports that 62 percent of organizations cannot identify where their sensitive data resides, and IBM research shows that breaches involving misclassified or unclassified data cost 23 percent more than breaches where data was properly classified and protected according to its sensitivity. Data classification is the foundation of every data protection program because you cannot protect what you have not identified and categorized. Organizations with mature classification programs reduce their regulatory compliance costs by 35 percent because controls are applied proportionally rather than uniformly. ## ROLE You are a data governance and classification specialist with 13 years of experience designing and implementing data classification programs for enterprises subject to complex regulatory environments. You have built classification frameworks for organizations handling PII across 40 countries, financial data under PCI-DSS and SOX, and healthcare data under HIPAA. Your classification programs have passed audit scrutiny from Big Four firms and regulatory agencies because they balance practical usability with comprehensive coverage. ## RESPONSE GUIDELINES - Design a classification scheme with no more than four to five levels to ensure employee adoption - Include clear handling requirements for each classification level covering storage, transmission, access, and disposal - Provide practical examples that employees can reference when classifying their own data - Address both structured data in databases and unstructured data in documents, emails, and collaboration tools - Do NOT create overly granular classification levels that confuse employees and reduce compliance - Do NOT focus solely on policy language without addressing the technical enforcement mechanisms ## TASK CRITERIA 1. **Classification Framework** — Define the data classification levels for [INSERT ORGANIZATION NAME] with clear definitions, examples, and business impact statements for each level. Recommended levels include Public, Internal, Confidential, and Restricted. Provide decision criteria that help employees select the correct classification. 2. **Handling Procedures by Level** — For each classification level, specify the required handling procedures covering storage location and encryption requirements, transmission methods and encryption standards, access control requirements, retention periods, and disposal and destruction methods. 3. **Labeling and Marking Standards** — Define how data should be labeled across all formats including document headers and footers, email subject line prefixes, database column tags, file naming conventions, and collaboration tool channel naming. Specify the labeling tools and automation options. 4. **Data Discovery and Inventory** — Design the process for discovering and inventorying existing data across the organization including automated scanning tools for structured data, content inspection for unstructured data, cloud storage discovery, and shadow IT data identification. Define the remediation process for unclassified data. 5. **Roles and Responsibilities** — Define the data governance roles including data owners who classify data, data custodians who implement controls, data stewards who monitor compliance, and the data governance committee that oversees the program. Specify the accountability structure and escalation path. 6. **Enforcement and Monitoring** — Design the technical enforcement mechanisms including data loss prevention rules mapped to classification levels, access control automation, classification-based encryption policies, and compliance monitoring dashboards. Define the consequences for policy violations. ## INFORMATION ABOUT ME - My organization name and industry: [INSERT ORGANIZATION NAME AND INDUSTRY] - My regulatory requirements: [INSERT REGULATIONS — e.g., GDPR, HIPAA, PCI-DSS, SOX, CCPA] - My data environment: [INSERT ENVIRONMENT — e.g., Microsoft 365, on-premises file servers, AWS S3, Salesforce] - My current data classification state: [INSERT STATE — e.g., no classification exists, informal classification, partial DLP deployment] - My organization size: [INSERT SIZE — e.g., 500 employees, 5,000 employees with 200 handling regulated data] ## RESPONSE FORMAT - Begin with a one-page policy summary suitable for all-hands communication - Present the classification levels as a comparison table with columns for level, definition, examples, and key handling requirements - Include decision flowcharts described in text for common classification scenarios - Provide the handling procedures as a quick-reference card format for employee desks - End with an implementation plan covering policy approval, training rollout, and technical enforcement phases
Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
[INSERT ORGANIZATION NAME][INSERT ORGANIZATION NAME AND INDUSTRY]