Mastering Data Classification & Grading: Ziroom’s Compliance Blueprint

Background

On September 1, 2021 the Data Security Law came into effect, mandating a national data classification and grading protection system. Ziroom, a large service company handling massive user and business data, must classify and grade its data assets and apply appropriate security controls to comply with the law.

Value of Data Classification & Grading

Compliance and risk management – ensures legal compliance, reduces regulatory risk, and enables targeted risk mitigation.

Optimized data security management – focuses resources on high‑value data, improves storage and handling decisions, and lowers leakage risk.

Enhanced user trust and privacy protection – safeguards personal information, increasing user confidence and loyalty.

Overall Practice

Ziroom builds a classification‑grading standard, uses automated labeling tools for structured and semi‑structured data, and then validates the results manually to produce final classification outcomes.

Data Classification

Data is divided into five categories:

A – Business Data : property listings, order transactions, operational statistics.

B – Technical Data : network device info, system accounts, environment configurations.

C – Finance & HR Data : financial reports, personnel records.

D – Personal Information : user identities, employee details.

E – Other Data : company policies, publicly available information.

Field‑Level Classification

The process consists of two matching rounds:

First round uses regular expressions to assign a score to each field based on pattern matches.

Second round applies NLP tools (NER, jieba segmentation, Doc2Vec) to improve matching for address and name data, adding an information‑richness score.

A type‑attribute table (e.g., phone, tel) provides additional parameters. Scores from both rounds and the attribute table are aggregated to determine the most probable data class for each field.

Table‑Level Classification

Metadata such as table comments, field information, creation and modification timestamps are retrieved. Combined with field‑level results, tables are classified (e.g., business table, technical table) and labeled as active or dormant based on usage patterns.

Database‑Level Classification

Table classifications are aggregated to assign an overall category to each database, forming a database‑level classification table.

Data Grading

Data is graded into four security levels based on sensitivity, legal requirements, business impact, and risk:

L1 – Top Secret : extremely sensitive data (e.g., financial or authentication data).

L2 – Secret : data whose loss could negatively affect operations.

L3 – Internal : non‑public information such as internal manuals.

L4 – Public : freely disclosed data like marketing materials.

Grading criteria consider legal mandates, data value/impact, and risk assessment.

Automated Grading Method

Initial scores are derived from database context and team ownership. These are combined with metadata (record counts, timestamps) and the grading table to compute final grades, prioritizing higher scores. Recommendations for security measures accompany each grade.

Long‑Term Operation

Automation accelerates initial classification and grading, but manual verification remains essential to correct errors, handle special cases, and refine rule models. Continuous monitoring, rule adjustment, and periodic re‑evaluation ensure the classification system stays accurate, compliant, and aligned with evolving business needs.