What is GDPR?
GDPR stands for the General Data Protection Regulation, a European Union law based on Article 8 of the EU Charter of Fundamental Rights – “Protection of personal data.”
To whom does GDPR apply?
GDPR applies to all entities that process personal data of European citizens, regardless of whether the entity is located within or outside the EU.
What is meant by personal data?
Personal data refers to any information that can be used to identify a natural person, such as:
- Name
- ID numbers
- Location data
- Online identifiers
- Physical, physiological, genetic, economic, cultural, or social identity
What is meant by processing?
Processing includes any operation or set of operations performed on personal data, such as:
- Collection
- Recording
- Organization
- Structuring
- Storage
- Adaptation or alteration
- Retrieval
- Consultation
- Use
- Disclosure by transmission
- Dissemination or otherwise making available
- Alignment or combination
- Restriction
- Erasure or destruction
What does GDPR say about data classification?
GDPR does not explicitly require data classification. However, it strongly implies the need for it through several relevant articles:
Article 30: Records of Processing Activities
Data controllers and processors must maintain a record of processing activities, including a clear overview of where and how personal data is stored and processed.
For example, if someone is storing Excel sheets full of personal data for analysis, the data controller must be aware of it. Data classification can help create this overview.
Article 32: Security of Processing
Organizations must implement appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of personal data.
If you don’t know the sensitivity level of your documents, how can you ensure they are protected appropriately? Data classification provides that visibility.
Article 15: Right of Access
Data subjects have the right to know:
- Whether their personal data is being processed
- What type of personal data is being processed
- For what purpose
This requires the data controller to have a clear overview of the types of data being processed. With unstructured data, this can be difficult—data classification helps restore control.
Article 16: Right to Rectification
Data subjects can request corrections to their personal data, including data in unstructured formats. Data classification helps locate and verify such information.
Article 17: Right to Erasure (Right to Be Forgotten)
Data subjects have the right to have their personal data erased if it is not lawfully processed. This includes unstructured data, which can be challenging to identify without classification.
Article 18: Right to Restrict Processing
Data subjects can limit the processing of their data, for example, by withdrawing consent. Data classification ensures such data is easily identifiable and properly restricted.
Summary
Although GDPR does not mandate data classification, it supports many of its core principles—such as data governance, access control, and secure processing. Classifying your data:
- Enhances visibility and control
- Supports regulatory compliance
- Ensures appropriate protection based on data sensitivity
In short, data classification is a strategic tool that facilitates GDPR compliance.
