How to Implement Effective Data Classification and Grading for Secure Data Management

1. Concept and Challenges of Data Classification and Grading

Data has become one of the five major productive forces alongside land, labor, capital, and technology, making it a strategic national resource. Enterprises must open data sharing and increase data value while ensuring lifecycle security and compliance.

According to GB/T 38667-2020, data classification is the process of grouping data based on attributes or characteristics to facilitate better management and use. There is no single classification method; enterprises create schemes based on management goals, protection measures, and dimensions such as industry, business domain, source, sharing, and openness.

Data grading assigns protection levels according to the importance and impact of data, covering national security and public interest, enterprise interests, and user interests.

Challenges include: (1) difficulty defining standards for complex business scenarios; (2) lack of effective management and usage policies after classification; (3) low accuracy of automatic identification for unstructured data.

2. Domestic Standards for Data Classification and Grading

Standard/Guide Name

Issuing Agency

Main Content

Financial Data Security Grading Guide (JR/T 0197—2020)

People's Bank of China

Goals, principles, scope, elements, rules, and process of financial data security grading.

Securities and Futures Data Classification and Grading Guide (JR/T 0158-2018)

China Securities Regulatory Commission

Grading method based on impact of data leakage or damage for the securities and futures industry.

Basic Telecom Enterprise Data Classification and Grading Method YD/T 3813-2020

Ministry of Industry and Information Technology

Data classification and grading for the telecom industry, covering communication security and user privacy.

Personal Financial Information Protection Technical Specification (JR/T 0171—2020)

People's Bank of China

Security protection for collection, storage, and processing of personal financial information.

Personal Information Security Specification (GB/T 35273-2020)

Standardization Administration of China

Requirements for collection, storage, use, and sharing of personal information.

Vehicle‑Network Data Security Technical Requirements (YD/T 3751-2020)

Ministry of Industry and Information Technology

Encryption, transmission, and storage measures for vehicle‑network data.

Vehicle‑Network User Personal Information Protection Requirements (YD/T 3746-2020)

Ministry of Industry and Information Technology

Protection of personal information in vehicle‑network scenarios.

Network Data Classification and Grading Guide

National Information Security Standardization Technical Committee

Guidance for data processors to conduct classification and grading.

Other references include various industry, national, and sector standards.

3. Enterprise Implementation of Data Classification and Grading

3.1 Implementation Path

Consultation, research, and analysis – assess regulatory policies, business systems, data assets, and security status.

Data asset inventory – automate identification, tagging, and build a data asset catalogue.

Classification scheme – design a classification system based on the asset inventory, implement tagging, and refine rules.

Grading scheme – design grading levels, optimize rules, improve automation, and set up change‑management mechanisms.

Panorama – create a visual overview of classification and grading, produce operational mechanisms, and prepare for secure data flow.

3.2 Data Classification

Data classification groups data according to attributes or characteristics, establishing a hierarchy for better management and usage.

Classification can be viewed from data‑management, data‑application, or national/industry perspectives.

Line Classification

Objects are divided sequentially into layers based on selected attributes; categories at the same level are parallel, while different levels are hierarchical.

Surface Classification

Objects are divided into independent “surfaces” based on inherent attributes, each surface containing a set of categories; combinations across surfaces form composite categories.

Hybrid Classification

Combines line and surface methods, using one as primary and the other as supplementary, suitable for scenarios with a primary dimension for major categories and a secondary dimension for sub‑categories.

3.3 Data Grading

Grading is based on data importance and sensitivity. The Data Security Law of the People’s Republic of China defines three levels: general, important, and core data.

Enterprises often adopt four levels: Public (1), Secret (2), Confidential (3), Top‑Secret (4). Example hierarchy:

Level 5 – data that can affect national security or cause severe public impact.

Level 4 – data that can cause general public impact or serious personal/enterprise harm, but not national security.

Level 3 – data that causes minor public impact or ordinary personal/enterprise harm.

Level 2 – data that causes slight personal or enterprise harm.

Level 1 – data that has negligible impact.

Classification categories may include R&D data, production‑operation data, management data, operation‑maintenance data, business‑service data, personal information, etc.

3.4 Application in Business

Classification and grading standards are only the starting point; effective enforcement requires processes and tools such as permission requests, data sharing controls, incident response workflows, and automated enforcement.

4. Sensitive Data Identification and Tagging

Large enterprises need automated discovery and tagging of sensitive data. A rule base can include keywords, regular expressions, file‑attribute detection, metadata‑based custom rules, and machine‑learning models (e.g., for bank card numbers, IDs, phone numbers, names, licenses, images).

5. Protection Measures and Recommendations

Data classification and grading ensure that low‑trust users cannot access sensitive data while avoiding unnecessary protection for non‑critical data.

The three pillars of data security governance are people, processes, and technology.

5.1 Organizational Conditions

Decision‑making layer: defines data strategy, approves and coordinates classification work.

Management layer: builds the complete system, allocates resources, establishes control mechanisms, and evaluates effectiveness.

Execution layer: implements the system, handles day‑to‑day classification, grading, and technical enforcement.

5.2 Institutional Conditions

Policies should cover objectives and principles, roles and responsibilities, methods and requirements, daily management procedures, result review and release mechanisms, performance evaluation, and record‑keeping.

5.3 Recommendations

Adopt a group‑level and subsidiary‑level classification framework.

Prioritize practical master‑data and indicator‑data classification.

Develop reusable materials, equipment, and indicator frameworks.

Support sharing needs across different hierarchy levels.

Encourage influential member units to join the standardization effort.