Why a “one-size-fits-all” approach to data classification won’t deliver in an era of enhanced regulation - Image by Gerd Altmann from Pixabay In 2018 the European GDPR irrevocably changed the whole data privacy landscape. Since then, other countries have released their own privacy regulations, such as CCPA, CMMC, and India PDP. A couple of weeks ago, the Colorado Governor signed the Colorado Privacy Act (CPA) into law. It is the latest in the recent wave of state privacy legislation in the US and unlikely to be the last. The CPA will take effect on July 1, 2023. Just six months after Virginia’s Consumer Data Protection Act (CDPA) and the California Privacy Rights Act (CPRA) become effective.

Following the implementation of such data protection and privacy regulations, there have been plenty of high-profile cases and fines issued. It further underpins the need to ensure sensitive information is handled correctly. It also reinforces that this is a government requirement that organisations can no longer ignore.

For example, this month, British Airways settled a legal claim from some of the 420,000 people affected by a major 2018 data breach. The breach affected both customers and BA staff and included names, addresses, and payment card details. The UK Information Commissioner’s Office handed BA its largest fine to date – £20m –over the “unacceptable” failure to protect customers.

Understanding what data you have

It has resulted in organisations shoring up their data protection policies and procedures with a plethora of solutions. Data classification is often viewed as the foundation of any data protection strategy. This is because a data classification policy will help organisations understand what data is sensitive, who should have access to it, and whether they should be holding, archiving, or deleting the information.

According to analyst organisation Forrester Research, “If you don’t know what you have, where it is, and why you have it, you can’t expect to apply the appropriate policies and controls to protect it.” Additionally, Gartner advises organisations to “Focus on controls that broadly address the problem. It includes implementing people-centric security and data classification. These controls are the foundation upon which additional controls can be built.”

However, in today’s growing threat landscape, and as a result of expanded business ecosystems, there is no one single solution or silver bullet that can fully protect your data. Data-centric security requires a layered approach to provide comprehensive data protection where you need it most. In conjunction with data classification,  powerful security solutions such as data loss prevention, email security, secure file transfer, encryption, and digital rights management help create a more robust data protection strategy.

Why a “one-size-fits-all” solution isn’t enough

That said, there are vendors who advocate and offer a “one-size-fits-all” solution. Most of these solutions typically provide basic classification functionality, such as labelling. However, most organisations now need a more granular classification approach in an era of enhanced regulation obligation.

Take Microsoft Information Protection (MIP). It is aimed principally at applying Rights Management rules to individual pieces of data and a heavyweight application of encryption techniques. MIP provides a level of data classification that may be satisfactory for meeting certain legislation or for businesses outside highly regulated industries.

However, as many organisations are now finding out, modern-day data protection legislation, especially as new and evolving regulation continues to be introduced, typically requires enhanced or combined functionality to remain compliant. For example, labelling with MIP has its limitations. It, therefore, makes sense to integrate a best-of-breed classification solution that works with MIP to hit the higher expectations of the regulators.

Likewise, protecting data costs money. It is vital to create a solution that delivers the right approach. It also needs to help organisations differentiate between data that requires a high level of protection and other, less critical data pools that do not. Treating all data equally, as if it was all the Crown Jewels, and using RMS to encrypt and apply post-delivery controls because there simply isn’t a reliable method of assessing an individual data file’s value, is expensive and inefficient.

Taking a more granular approach to data classification

We have seen how compliance is a growing challenge. It is better to take a more granular approach. Combine a data classification solution that can provide the foundational expertise, together with regulatory knowledge. This ensures you can accurately deliver the data security required against all the different data categories.

Organisations should choose a powerful, flexible solution that grows with the business as requirements change and classification policies adapt. More basic solutions may limit future flexibility.

Data classification plays a pivotal role. It’s critical that classification technology can integrate and interoperate with a wide range of complementary security and data management solutions.

It ultimately means that businesses need coverage beyond basic Office applications. They also require a solution that considers regulatory and essential business requirements for internal and departmental use. Comprehensively classified documents enhance the performance of these downstream security tools. They enforce controls, reduce false positives and provide an audit trail for regulators.

It ultimately means that businesses need coverage beyond basic Office applications. They also require a solution that considers regulatory and essential business requirements for internal and departmental use. Comprehensively classified documents enhance the performance of these downstream security tools. They enforce controls, reduce false positives and provide an audit trail for regulators.

Looking at the bigger picture

Organisations must look at the bigger picture when thinking about their requirements. It means adopting a solution that delivers a fully customisable experience. It must ensure data is protected exactly how it needs to be to maintain regulatory compliance. The solution should also have the agility and responsiveness to change as customer demands evolve.

Here at HelpSystems, we have over 35 years of experience working with customers to rapidly develop software products that meet their exacting needs and those of an increasingly demanding regulated marketplace.  Titus data classification is fully compatible and interoperable with MIP. It adds significant value to the labelling. This means that organisations can incorporate elements of MIP and enhance that functionality with Titus.

By combining the best of a mass-market product in MIP, incorporating Azure RMS and best-of-breed classification in Titus, organisations get significant additional value from a premier classification capability. Taking a combined approach to enterprise information protection with enhanced data classification at the core enables policy issues and integration requirements to be tackled together. It delivers maximum value for the business. Organisations can meet their classification challenges both today and those that will be introduced around the corner.

If you are interested in reading more about why you need best-of-breed data classification, why not download our paper: Enterprise Data Classification – Enhancing Microsoft MIP in An Era of Regulatory Obligation.


titus Logo as of Mar 2021Titus is synonymous with world-class data classification and our solutions are key components of HelpSystems’ robust data security portfolio.

Titus solutions are trusted by millions of users in over 120 countries around the world, including top military, government and Fortune 100 organizations. With the addition of data identification and advanced machine learning technologies, Titus has evolved into a global leader in enterprise-grade data protection solutions.


Please enter your comment!
Please enter your name here