The systematic categorisation of personal data by sensitivity level to apply proportionate security controls.
PII (Personally Identifiable Information) classification is the process of identifying, cataloguing, and categorising personal data elements by their sensitivity level. Classification tiers typically include: public, internal, confidential (personal), sensitive (financial/health), and restricted (special category/children). Each tier maps to specific security controls, access restrictions, encryption requirements, and retention policies. Under DPDPA, proportionate safeguards must match data sensitivity.
Without proper classification, you either over-protect everything (expensive) or under-protect sensitive data (risky). Classification enables proportionate security spending and helps prioritise breach response based on affected data sensitivity.
A Bengaluru fintech classifies data into 4 tiers: Tier 1 (name, email — standard controls), Tier 2 (PAN, bank account — encrypted at rest), Tier 3 (income, credit score — encrypted + access-logged), Tier 4 (Aadhaar biometrics — HSM-stored, dual-approval access).
PII classification is not a one-time exercise. As you add new data fields, integrate new systems, or change processing activities, classifications must be reviewed and updated.
DPDPA Shield automates Data Inventory & RoPA. See how →