GDPR Learning Hub

Menu
  • Take quizzes
  • Download guides
  • Buy courses
  • Buy Templates
  • Website is under construction

organizational safety measures

Information classification

An organizational safety measure that may be appropriate to take is information classification. 

Information classification is an organisational safety measure

Information classification is about dividing the information into different security classes. This makes it easier to make accurate decisions about which security measures the company needs to take to protect the various personal data.

The starting point is that the more important personal data, the higher the security requirements. 

What breaches of the GDPR can lead to an administrative fine?

The requirements for appropriate security measures are regulated in Article 32 GDPR

The principle of privacy and confidentiality, requires companies to take appropriate technical and organisational measures to protect the personal data processed. The principle of accountability means that companies must be able to demonstrate that they comply with the GDPR. a written classification of information may therefore be appropriate. 

Why is it good to conduct information classification?

There are several advantages to information classification. The company can make it easier to identify which personal data are most worthy of protection. Not all information is equally sensitive, and treating everything in the same way can lead to, for example, excessive security that can be unnecessarily costly. It also makes it easier to direct resources to where they are most needed and determine access levels. 

Information classification can, among other things, contribute to meeting the following requirements of the GDPR:

  • Integrity and confidentiality in accordance with Article5 (1) (f) GDPR.
  • Security of processing in accordance with Article 32 GDPR
  • Data protection by design in accordance with Article 25 GDPR
  • Liability in accordance with Article 5(2) of the GDPR. 

Divide the information into different classes

1. General/public information

There are personal data that can be shared publicly and it is usually the least sensitive information. For example, profile pictures of brokers published on the agency's website. It is a profession where such publication is common in connection with external communication, such as the brokerage agency's website and social media. Similar applies to personal data contained in reports that the company publishes publicly or serves to authorities that become public documents.

What is the definition of anonymised data?

2. Internal information

There is information that contains personal data that should not be disseminated outside the company. For example, training materials or meeting notes.

Subjektivt integritetskänsliga personuppgifter

3. Protected information

There is some information that only a limited number of people in the business should have access to. For example, customer registers and payroll information. Please note that it is often unnecessary for all employees within a company to have access to all personal data processed in order to perform their duties. If a worker does not need access to certain personal data, he or she should also not receive it. That is why it is important to manage access rights among employees within the company.

Sensitive personal data according to GDPR

4. Privacy-sensitive personal data

Privacy-sensitive personal data can be divided into four groups. These are 1) personal data relating to criminal convictions and offences, 2) sensitive personal data, 3) personal identity numbers and 4) subjectively privacy-sensitive personal data. However, only the first two are specifically regulated by the GDPR. It is important to be careful to ensure that people who really do not need to have access to such personal data, do not have it. In addition, the company needs to apply high security when storing privacy-sensitive personal data.

Measures that companies need to take to comply with GDPR

5. Subjective privacy-sensitive personal data

Subjectively privacy-sensitive personal data constitutes one of the four groups of privacy-sensitive personal data. However, there is no exact definition. In short, it is personal data that the data subject may feel is privacy sensitive for someone else to process, even though they are not sensitive under Articles 9-10 of the GDPR. For example, credit card numbers, ratings, and subjective assessments of results. However, companies usually process subjectively privacy-sensitive personal data, as a basis for documenting employee performance. This may involve notes from employee appraisal and performance review.

Subjektivt integritetskänsliga personuppgifter

6. Sensitive personal data

Sensitive personal data also constitutes one of the four groups of privacy-sensitive personal data. There are specific rules in Article 9 of the GDPR on the processing of sensitive personal data. The main rule prohibits the processing of sensitive personal data such as religious beliefs, political opinions and health data. However, there are exceptions. For example, companies usually process information on sick leave of the employees and it is allowed. However, it is not allowed to send a pay slip with information on sick leave via unencrypted email, as it is not secure enough.

How can companies work with information classification in practice?

Identification

Start by identifying the types of personal data that the company processes.

Assessment

Evaluate the importance of personal data. Some factors to start from are privacy risks, business risks, what legal requirements exist and what consequences it may entail for the data subjects in the event of unauthorized access.

Classification level

Divide the different personal data into different protection classes based on the assessment.

Documentation

Keep in mind to document the information classification in order to show that the company complies with GDPR, in accordance with the principle of accountability.

Safeguards

The more important the personal data, the better safeguards the company needs to take. Analyze which personal data needs which safeguards.

Follow up

GDPR is a continuous work and it is good to always follow up the work and try to improve it over time.

Learn more about GDPR

Internal confidentiality agreements

It is common for companies to want to prevent certain information from reaching people outside the company or to other unauthorized persons within the company. Therefore, employers usually enter into a non-disclosure agreement or include a non-disclosure clause in the employment contract with the employees. It is the employees who work with GDPR in practice and often process personal data as part of their tasks. Internal confidentiality agreements may be particularly appropriate if employees process sensitive personal data.

Want to learn more?

Read more
Scroll to Top