How to Implement Data Classification and Grading for Robust Security

General Rules for Data Classification and Grading

To start data classification and grading, first categorize data, identify important and core data, then establish appropriate security measures, following national laws such as the Data Security Law, Cybersecurity Law, and Personal Information Protection Law.

GB/T 25069—2022 defines terminology for information security technology.

Data classification follows the industry domain first, then business attributes. The basic approach is to classify by industry and subsequently by business attributes.

Data is divided into three levels—core data, important data, and general data—based on the potential harm if the data is leaked, altered, destroyed, or illegally accessed.

Data Classification and Grading Process

0 1 Data Classification and Grading Process

1. Industry Domain Data Classification and Grading Process

Industry regulators should develop sector‑specific standards, clarifying classification criteria, identifying core, important, and general data, and guiding data handlers to accurately recognize and report core and important data catalogs.

2. Data Processor Classification and Grading Process

Data processors should inventory data assets, create internal rules based on sector standards, classify data (including special categories such as personal information), perform grading, audit and report the results, and manage dynamic updates as risk levels change.

Core Data Identification Guide

Data is identified as core if any of the following conditions are met:

Leakage, tampering, destruction, or illegal acquisition causes especially severe harm to national security or political security.

The same impact causes especially severe harm to economic operation.

The same impact causes especially severe harm to social order.

The same impact causes especially severe harm to public interest.

Data with high coverage of a specific domain, group, or region that directly affects political security.

Data with high precision, large scale, high importance, or depth that directly affects political security.

Data assessed and confirmed as core by relevant authorities.

Important Data Identification Guide

Data is identified as important if any of the following conditions are met:

Leakage, tampering, destruction, or illegal acquisition causes general harm to national security.

The same impact causes serious harm to economic operation.

The same impact causes serious harm to social order.

The same impact causes serious harm to public interest.

Data directly relates to national security, economic operation, social stability, or public health in specific fields, groups, or regions.

Data with sufficient precision, scale, depth, or importance that directly influences national security, economy, or public welfare.

Data evaluated and confirmed as important by the industry regulator.

Data not identified as core or important is classified as general data.

Technical Identification Flow for General Data

General data classification should start from the classification perspective, using multi‑dimensional indicators and vectorized analysis to discover data features, then apply user‑decision feedback mechanisms to improve accuracy.

A privacy‑preserving data security governance framework provides industry templates, sensitive data detection technology, compliance knowledge bases (GDPR, PCI, etc.), risk quantification, and reporting to support continuous protection of sensitive information.