GDPR is the "General Data Protection Regulation," a European Union regulation for protecting the EU's Charter of Fundamental Rights Article 8 – "Protection of personal data.
To whom does GDPR apply?
GDPR applies to all entities that process personal data about European citizens, whether they are in Europe or outside of Europe.
What is meant by personal data?
Personal data can be used to identify a natural person, such as name, ID numbers, location data, online identifiers, physical, physiological, genetic, economic, cultural, or social identity.
What is meant by processing?
Any operation or set of operations performed on the personal data such as: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
What does GDPR say about data classification?
GDPR does not explicitly mention data classification. It is not a requirement to classify your data according to GDPR. However, several exciting points still are relevant.
Art 30: Records of processing activities. The controller and data processor need to have a protocol for processing activities. Meaning an overview of everywhere they have personal information. If someone is storing excel sheets full of personal data for analysis purposes, the data controller needs to be aware of this.
Art 32: Security of processing: The controller and processor need to implement appropriate technical and organizational measures to protect the data. Among those requirements, the ongoing ability to ensure the data's confidentiality, integrity, and availability. And here comes data classification; if you don't know the documents' confidentiality level, how can you ensure you are protecting them accordingly?
Art 15: Right of access: The data subject has the right to know if the data controller is processing personal information, what type of personal information, and its purpose. This means that the data controller must have an overview of the kind of personal data processed. With unstructured data, this can be not easy. Hence a data classification of documents can help give back overview and control to the data controller.
Art 16: Right to rectification: The data subject has the right to have the personal data rectified if it is not correct. This includes unstructured formats to ensure the integrity of information.
Art 17: Right to erasure: The data subject has the right to be forgotten and that the personal data not processed lawfully is deleted. This includes all unstructured formats.
Art 18: Right to restriction of processing: The data subject has the right to restrict data processing by, for example, withdrawing previously given consent.
Summary: Although data classification is not a requirement in GDPR, having data classification helps achieve other conditions such as controlling data and protecting it according to its data classification.