
Must be encrypted during storage and transmission.
Access is limited to authorized personnel only.
Must not be shared outside the organization without proper authorization.
Must be stored in secure locations with access controls.
1. Data Classification
- Must be encrypted during storage and transmission.
- Access is limited to authorized personnel only.
- Must not be shared outside the organization without proper authorization.
- Must be stored in secure locations with access controls.
- Must be encrypted during storage and transmission.
- Access is limited to authorized personnel only.
- Must not be shared outside the organization without proper authorization.
- Must be stored in secure locations with access controls.
- Description: Data that is less sensitive than confidential data but still requires protection due to its importance to the organization.
- Examples: Internal communications, non-public project documentation, internal memos.
- Handling Requirements:
Should be protected with access controls.
Must be encrypted during transmission.
Access is restricted to relevant departments or individuals.
May be shared internally as needed, but not outside the organization without proper authorization.
- Should be protected with access controls.
- Must be encrypted during transmission.
- Access is restricted to relevant departments or individuals.
- May be shared internally as needed, but not outside the organization without proper authorization.
- Should be protected with access controls.
- Must be encrypted during transmission.
- Access is restricted to relevant departments or individuals.
- May be shared internally as needed, but not outside the organization without proper authorization.
- Description: Data that is intended for public disclosure and poses minimal risk if accessed by unauthorized individuals.
- Examples: Marketing materials, press releases, publicly available financial reports.
- Handling Requirements:
No specific access controls are required.
May be freely shared and distributed both internally and externally.
- No specific access controls are required.
- May be freely shared and distributed both internally and externally.
- No specific access controls are required.
- May be freely shared and distributed both internally and externally.
How To Implement It Once you define your Data Classification standards, it’s important to start educating your employees on it and labelling data where applicable. For example, say you have a Cloud environment to host your application (e.g. Google Cloud Platform, Azure, AWS); you can create tags (such as the following) to tag resources to get an idea of the types of data classification it handles. The following is an example of a CLI command for GCP for how such a tag structure can look for GCP resources:
$ gcloud compute instances add-labels INSTANCE_NAME --labels=Owner="John Smith",DataType="Confidential",Environment="Production"$ gcloud compute instances add-labels INSTANCE_NAME --labels=Owner="John Smith",DataType="Confidential",Environment="Production"2. Data Retention
Data retention involves setting policies for how long different types of data should be stored before being deleted or archived. This ensures that data is kept only as long as it is helpful or required by law. If you do business in Europe or specific states, you may be subject to additional requirements (e.g. Right to Forget for GDPR) which should be used to determine your data retention schedule. Additionally, this section in your policy should address how often reviews are done to review the policy data – most regulators/auditors will look for mention of annual re-evaluations/updates.
3. Data Disposal
It is equally important to have a clear process for Data Disposal in addition to retention and classification. Data Disposal involves securely getting rid of data and devices. For digital data, this means wiping storage devices or using data destruction software. For physical data, like paper documents, this involves shredding. Devices that are no longer in use and contain organizational data should be wiped of all data before being disposed of. For highly sensitive data, a destruction certificate should be obtained from the disposal vendor or responsible party to confirm that the data has been irretrievably destroyed.
A data retention schedule should be a table within your data management policy (typically included in the appendix) that lists the types of data you hold and the retention period. While this will most likely be easier for service-based companies, this may prove trickier for SaaS companies as there may be third-party dependencies (e.g. third-party APIs which process your user’s data) which may have their own retention schedules. It’s crucial to ask them about their policies and list them within your Data Retention schedule; the following is an example of a Data Retention Schedule from our template.
Creating a Data Management Policy using WatchDog Security’s Free Policy Manager
Using a free subscription to the WatchDog Security platform, you can leverage our policy manager to create and disseminate policies (such as a Data Management Policy) to your team members and have a centralized hub to manage everything. To get started, sign up here. Once you sign up, navigate to Policy Manager and click Create New Policy. Select the Create Using Template option to pre-populate it with various information to help speed up policy development. Edit the highlighted parts of the policy with your organization-accepted parameters and click Publish Policy. Now all the users added via Employee Management will receive the policy to accept in their dashboard.
Turn Your Workforce Into Your Strongest Defense
Your employees are the #1 target — and businesses face constant risk from AI deepfakes, misconfigurations, and more. Start today with our unified trust, compliance, and security platform, free-for-life, and get access to:
- Cybersecurity training – 50+ animated micro-courses
- Unlimited employees on the free plan – no credit card required
- Policy, risk, and vendor management -publish, distribute, and track with ease
- Inventory manager -track, categorize and organize all your assets
Get started free today – no credit card required.
Additional Resources
Data Management Policy Template for CIS Control 3 (CIS Center for Internet Security)

