Read as
Why this module exists. You cannot protect what you cannot find. Data discovery and classification — knowing where personal / sensitive data lives and tagging it appropriately — is the prerequisite to every downstream data-protection control. This module covers the modern discovery techniques and the classification framework that scales.
Why this module exists. Manual data classification fails. Survey-based “where is sensitive data” produces inventories that miss 40-60% of actual locations. Modern automated discovery + ongoing classification is the workable approach.
The classification framework
A simple, defensible scheme:
| Level | Examples | Treatment |
|---|---|---|
| Public | Marketing material, published API docs | Standard controls |
| Internal | Org charts, internal policies, financial summaries | Access-controlled to employees |
| Confidential | Customer PII, contracts, source code | Need-to-know access, encryption, DLP |
| Restricted | Payment data, Aadhaar, regulated financial info | Restricted access, field-level encryption, full audit, tokenisation |
Four levels balances precision and adoption. More levels (seven, ten) sound rigorous but degrade in practice — users don’t remember which is which.
DPDP Act in your stack?
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.
Book DPDP scoping call
Replies in 4 working hrs · India-only · Senior consultants