Data Classification and Retention Policy : Points to consider while framing Retention Policy (GDPR)

Data Classification, in general, is labeling of data and protect data based on the sensitivity and how much it has an impact on the organization when there is a breach. This will have 2 parts to it. One is under what type the data is classified and second is the risk that possesses.

Data Type Classification can be customized based on the customer we work for; however, Data risk Classification is universal and common among most organizations such a PUBLIC, INTERNAL, RESTRICTED, SENSITIVE and SECRET.

Eg: Customer PII / SPI data >> Type this data to be classified is Customer Data and the Risk it possesses is Confidential (which again is either Restricted or Sensitive).

What is Data Retention?

Data Retention is an activity or process involved in retaining data that is really required for the use of business. Any data that is not required or had crossed its usage should be appropriately removed from the system. It should be either anonymized or deleted based on the approach suggested by business. With respect to Data retention, after business concurrence on the approach, the main decision should be taken up by business considering for how long the data to be retained before it is deleted or anonymized.

Eg: Customer Personal / Sensitive Data >> Retention Period that can be set for this kind of data is 7 years, however, if this is a medical data then we can hold the data for 7 years after end date/lapse date. Post which data will be deleted or anonymized.

How to perform Data Classification (Type and Risk)

1.    Obtain the Database schema for the application for which data classification needs to be performed.
2.    Database schema to have the DB name, Table name, Column Name, Dat Type, Length and Column Description.
3.    Above fields are mandatory to perform an accurate data classification.
4.    Each field needs to be classified based on the type and the risk considering the risk pertaining to the business.
5.    Risk of the item should be mandatorily classified such as Public, Internal, Confidential, and Secret.
6.    Any personal data or sensitive data such as Name, Address, Email ID, Telephone#, Mobile# or any information that is used to identify an individual should be classified as either Sensitive or Confidential.
7.    Any system related information should be classified as Internal.

Points to be considered or gathered while creating a retention policy

1.    Obtain the Application Architecture.
2.    Understand whether the application taken for assessment is standalone or whether linked to any upstream and downstream systems.
3.    Understand the upstream and downstream of the data.
4.    Understand what type of data is stored in the application and how the data flows between the applications.
5.    Understand how long the application is in use and how many years of data resides in the application.
6.    Check if there is any kind of report or data downloaded from the application and saved in some file location.
7.    Understand whether those file locations are the primary storage location for the project.
8.    Discuss with business and SME’s on the data flow and the data that is considered critical in the application.
9.    Understand the retention period from the business that would be appropriate for retaining data.
Also, discuss with business the approach to be carried out
11. Below is the flow diagram on data flow and reference to data.


In order to have the Data Retention and Classification Policy created, we need to make sure that assessor completes the data classification and retention guidelines. Once it’s done, the same had to be discussed with the business. The document needs to be circulated to business to get the concurrence on the retention policy and retention rule specified along with the approach. Once business approved the document, the same should be approved by IT application owner, Security Manager and Data Protection Officer.

Once all the approvals are obtained the document should be handed over to the remediation team for further implementation. In the meantime, it is the responsibility of the assessor to provide a walkthrough of the application architecture, data inflow, and outflow to the development for getting a better understanding and to proceed with the deployment seamlessly.

Authored By - Anitha Raju
TCS Cyber Security Practice

Rate this article: 
No votes yet
Article category: