Too Many Companies Use Lax Data Classification Practices

July, 2021

Creating a formal classification scheme is an important element in managing data for security, disaster recovery, and retention purposes. Yet, many organizations fail to establish this important foundation. Our full report looks at the reasons why organizations find data classification a difficult practice and offers several practical guidelines to overcome these obstacles.

As shown in Figure 2 from our full report, Data Classification and Retention Adoption and Best Practices, the percentage of organizations with data classification and retention policies is 55%. That is lower than the last three years, when it was in 61%-62% range.

dclassfig22021 - Too Many Companies Use Lax Data Classification Practices
“Data classification is one of those areas where the perfect is the enemy of the good,” said Frank Scavo, president of Avasant Research, based in Los Angeles. “This may explain why adoption is stalled. A lot of organizations would be better off putting a basic classification scheme in place, rather than attempting to build a framework that is complete but overly complex and no one uses.”

Data classification is a simple concept. It is a scheme by which the organization assigns a level of sensitivity and an owner to each element of information that it owns and maintains. In a hospital, for example, a data classification scheme would identify the sensitivity of every piece of data in the hospital, from the cafeteria menu to patient medical records. The most widely recognized data classification scheme is the one used by governments including the US, which assigns classifications such as top secret, secret, and confidential.

Similarly, in business, organizations adopt data classification schemes to define the levels of confidentiality that are required for each piece of information created or maintained by the organization. A corporate data classification scheme might comprise information classifications such as:

  • Company confidential
  • Private
  • Sensitive
  • Public

The practice of data classification and retention has a moderate maturity rating this year. Its maturity rating is relative to the 33 other best practices studied in our annual IT Management Best Practices study. However, the number of survey respondents consistently and formally applying data classification and retention falls far short of the number practicing it to some degree. Thus, existing data classification programs should be evaluated to determine where they can be improved. It is clear that if more companies increased the quality and comprehensiveness of their data classification initiatives, the number of security and privacy breaches would decrease even more.

In our full report, we study the adoption and practice levels for data classification and retention and examine those by organization size and sector. We conclude with a series of best-practice recommendations for implementing a data classification scheme.


This Research Byte is a brief overview of our study, Data Classification and Retention Adoption and Best Practices. The full report is available at no charge for subscribers, or it may be purchased by non-subscribers directly from our website (click for pricing).