In 2018 the European GDPR irrevocably changed the whole data privacy landscape. Since it was implemented, there have been a host of other privacy regulations such as CCPA, CMMC, and India PDP, coming into force around the world.

In fact, just a couple of weeks ago the Colorado Governor signed the Colorado Privacy Act (CPA) into law, the latest in the recent wave of state privacy legislation in the US and unlikely to be the last. The CPA will take effect July 1, 2023, six months after Virginia's Consumer Data Protection Act (CDPA) and the California Privacy Rights Act (CPRA) become effective.

Following the implementation of such data protection and privacy regulations, there have been plenty of high-profile cases and fines issued. This further underpins the need to ensure sensitive information is handled in the correct manner and reinforces that this is a government requirement that organisations can no longer ignore. 

For example, just this month British Airways settled a legal claim from some of the 420,000 people affected by a major 2018 data breach. The breach affected both customers and BA staff and included names, addresses, and payment-card details. The UK Information Commissioner's Office handed BA its largest fine to date - £20m -over the "unacceptable" failure to protect customers.

Understanding what data you have

As a result, organisations are shoring up their data protection policies and procedures with a plethora of solutions, and data classification is often viewed as the foundation to any data protection strategy. This is because a data classification policy will help organisations understand what data is sensitive, who should have access to it, and whether they should be holding, archiving, or deleting the information.

According to analyst organisation Forrester Research, "If you don't know what you have, where it is, and why you have it, you can't expect to apply the appropriate policies and controls to protect it."

Additionally, Gartner advises organisations to "Focus on controls that broadly address the problem, such as implementing people-centric security and data classification. These controls are the foundation upon which additional controls can be built."

However, in today's growing threat landscape, and as a result of expanded business ecosystems, there is no one single solution or silver bullet that can fully protect your data. Data-centric security requires a layered approach to provide comprehensive data protection where you need it most. In conjunction with data classification,  powerful security solutions such as data loss prevention, email security, secure file transfer, encryption, and digital rights management help to create a more robust data protection strategy.

Why a "one-size-fits-all" solution isn't enough

That said, there are vendors who advocate and offer a "one-size-fits-all" solution. Most of these solutions typically provide basic classification functionality, such as labelling, but more often than not, especially in an era of enhanced regulation obligation, most organisations now need a more granular classification approach.

Take Microsoft Information Protection (MIP), which is aimed principally at applying Rights Management rules to individual pieces of data and a heavyweight application of encryption techniques. MIP provides a level of data classification which may well be entirely satisfactory for meeting certain legislation or for businesses that are outside highly regulated industries.

However, as many organisations are now finding out, modern day data protection legislation, especially as new and evolving regulation continues to be introduced, typically requires enhanced or combined functionality to remain compliant. For example, labelling with MIP has its limitations and it therefore makes sense to integrate a best-of-breed classification solution that works with MIP to hit the higher expectations of the regulators. 

Likewise, protecting data costs money so it is vital to create a solution which delivers the right approach and helps organisations to differentiate between data that requires a high level of protection and other, less critical data pools that do not. Treating all data equally, as if it was all the Crown Jewels, and using RMS to encrypt and apply post-delivery controls because there simply isn't a reliable method of assessing an individual data file's value, is expensive and inefficient.

Taking a more granular approach to data classification

We have seen how compliance is a growing challenge. Taking a more granular approach by combining a data classification solution that can provide the foundational expertise, together with the regulatory knowledge necessary to accurately deliver the data security required against all the different data categories, is also becoming essential.

Above all, organisations should choose a solution that is powerful, flexible and can grow with the business as requirements change and classification policies adapt in response. More basic solutions may limit future flexibility.

Given the pivotal role of data classification, it is critical that any classification technology can integrate and interoperate with a wide range of complementary security and data management solutions.

This ultimately means that businesses need both coverage beyond basic Office applications and a solution that takes into consideration not just the regulatory requirements, but also the essential business requirements for internal and departmental use. Comprehensively classified documents enhance performance of these downstream security tools, enforcing controls, reducing false positives and providing an audit trail for regulators.

Looking at the bigger picture

Overall, it is important that organisations look at the bigger picture when thinking about their requirements. This means adopting a solution that not only delivers a fully customisable experience and ensures data is protected exactly how it needs to be to maintain regulatory compliance, but a solution that also has the agility and responsiveness to change as customer demands evolve.

Here at HelpSystems, we have over 35 years' experience in working with customers to rapidly develop software products that meet both their exacting needs and those of an increasingly demanding regulated marketplace. 

The good news is that Titus data classification is fully compatible and interoperable with MIP, adding significant value to the labelling, meaning that organisations can incorporate elements of MIP and enhance that functionality with Titus.

By combining the best of a mass-market product in MIP, incorporating Azure RMS and best-of-breed classification in Titus, this provides organisations with significant additional value from a premier classification capability.

Taking a combined approach to enterprise information protection with enhanced data classification at the core enables policy issues and integration requirements to be tackled together to deliver maximum value for the business - ensuring that organisations meet their classification challenges not only today, but also for those that will be introduced around the corner.

If you are interested in reading more about why you need best-of-breed data classification, why not download our paper: Enterprise Data Classification - Enhancing Microsoft MIP in An Era of Regulatory Obligation.