classification-policy
Installation
SKILL.md
Data Classification Policy Development
Overview
A data classification policy establishes the enterprise-wide framework for categorising data by sensitivity level and prescribing handling requirements per tier. The policy translates GDPR classification obligations (personal, special category, criminal) and information security requirements (confidentiality, integrity, availability) into practical, enforceable rules that govern how data is stored, transmitted, accessed, and disposed of throughout its lifecycle. This skill covers the design, implementation, and enforcement of a four-tier classification scheme aligned with GDPR requirements and ISO 27001 Annex A controls.
Classification Tier Structure
Four-Tier Model for Vanguard Financial Services
| Tier | Label | Description | GDPR Mapping | ISO 27001 Mapping |
|---|---|---|---|---|
| Tier 1: Public | PUBLIC | Information approved for public release. Disclosure carries no risk to the organisation or individuals. | Anonymised data (Recital 26), published reports, public filings | A.8.2 — Unclassified/Public |
| Tier 2: Internal | INTERNAL | Information for internal use only. Disclosure would cause minor inconvenience but no significant harm. | Pseudonymised aggregate data, internal procedures, organisational charts | A.8.2 — Internal |
| Tier 3: Confidential | CONFIDENTIAL | Information whose disclosure would cause significant harm to individuals or the organisation. | Personal data (Art. 4(1)), financial data, customer records, employee records | A.8.2 — Confidential |
| Tier 4: Restricted | RESTRICTED | Information whose disclosure would cause severe harm, regulatory sanction, or irreversible damage. | Art. 9 special category data, Art. 10 criminal data, trade secrets, regulatory investigation data | A.8.2 — Restricted/Secret |