Mastering Data Classification: A Practical Guide to Secure Data Grading

1. Background Overview

Data security has developed in China for many years, from the 2018 local big‑data security regulations to the 2021 national Data Security Law and Personal Information Protection Law, and the recent establishment of regional data bureaus, reflecting strong governmental emphasis on data protection.

Data classification and grading are the core of data security governance, as highlighted by Gartner’s framework, the DSMM model, and the national standard GB/T 43697‑2024 that guides classification work.

2. Implementation Process

Based on standards and project experience, data classification and grading typically follow these steps:

Define objectives: determine data scope and inventory assets.

Develop strategy: create a classification‑grading framework referencing business needs, data attributes, and relevant standards.

Review framework: audit the classification‑grading framework.

Execute classification‑grading: use tools to apply the approved framework and produce a classification list.

List review: audit the resulting classification list.

See the flow diagram below.

3. Classification‑Grading Principles

Legal compliance : follow laws, regulations, and supervisory requirements, prioritizing categories defined by statutes. In health data, categories include emerging business, basic information, public health, family planning, medical services, medical insurance, drug management, and comprehensive management, further divided into personal attributes, health status, medical application, payment, resource, and public health data.

Clear grading : each level must have distinct boundaries and corresponding protection measures.

Highest‑level‑wins : when a dataset contains items of different levels, assign the highest level to the entire set.

Dynamic adjustment : periodically review and adjust classifications as policies, risks, business contexts, or industry rules change.

Security focus : classify to facilitate security controls.

4. Implementation Details

4.1 Asset Inventory

Identify data assets, considering data type (structured vs. unstructured), lifecycle stages (collection, transmission, storage, processing, sharing, destruction), business attributes, and tool‑specific information.

4.2 Develop Classification‑Grading Strategy

Map assets to legal requirements and internal policies, then define categories (e.g., personal information, personal health data, medical application data) and assign levels (commonly four, but can be three or five based on needs).

4.3 Review Strategy

Obtain stakeholder approval for the classification‑grading strategy and refine it as necessary.

4.4 Conduct Classification‑Grading

Load the approved strategy into an automated tool, run scans against the asset inventory, generate a “Data Resource Classification‑Grading List,” and iterate based on review feedback.

After classification, create protection policies based on the results.

5. Grading Adjustments

Re‑grade data when any of the following occurs: content changes, lifecycle or usage changes, data merging, regulatory updates, or other situations that affect the appropriate security level.

6. Reflections on the Process

1. Should the entire data estate be classified? Ideally yes, but when data volume is large, prioritize sensitive data first and expand later.

2. How to handle data that sits on classification boundaries? Use cross‑classification, assigning both medical and personal dimensions (e.g., “medical personal information” class) to satisfy compliance such as HIPAA.

3. How to enforce security controls after grading? Apply encryption, masking, watermarking, DLP, etc., tailored to specific usage scenarios like sharing or display, rather than a one‑size‑fits‑all approach.

Source: Deske Security Classroom