5 ways to harness data classification to mitigate data sprawl

Deploying an automation tool to discover and classify data can drastically change how your organization controls data sprawl

Bex Evans
April 18, 2023

Whether it’s a privacy, security, ethics, or environmental, social, governance (ESG) initiative in your organization, all have the same baseline: data in all these segments is flowing in and out of your business at unfathomable volumes and speed. 

Who’s responsible for that data, what it does, and where it goes? Well, that’s another pain point organizations are facing. In an IDC study on enterprise data culture, half the respondents said they were overwhelmed by the amount of data within their ecosystem, while 44% claimed they don’t have enough data to support strong decision making. 

The speed, scale, and sprawl of data and the increased risk of relying on manual operations to support data risk management has created plenty of pain points for privacy and security teams in any organization.

What is data sprawl? 

First, we need to understand what data sprawl means. It’s the proliferation in the number and different kinds of digital information (data) created, collected, stored, shared, and analyzed by businesses, primarily at the enterprise level. On average, organizations have four-to-six platforms to manage data. 

And how much data, exactly, is sprawling? Recent studies show that some 2.5 quintillion bytes of data are being created every single day, according to Tech Jury, and behind every data point flying through the digital stratosphere is a company that is either providing it, receiving it, or is in charge of managing it. 

What is data classification?

Simply put, data classification is the umbrella term for understanding the what, where, when, and why of data living in your organization’s ecosystem. Gathering and understanding this information will ultimately lead your business to better protecting and promoting responsible use of that data.

Here are five forms of data classification that can help mitigate risk to that digital information:

  1. Understand the nature of the data at hand
    • Is it structured or unstructured? 
    • If unstructured, what type of document is it? 
  2. Understand the nature of the file at hand 
    • Is that document a resume or a W2?
    • Is that code an authentication key?
    • Is that .jpeg a passport scan?        
  3. Understand the data elements in the file 
    • Is there personal information like first name, last name, email addresses?
    • Is there sensitive personal information like social security number, religious affiliation, healthcare data?
  4. Understand the level of sensitivity and the appropriate level of access 
    • Public 
    • Internal
    • Confidential
    • Restricted 
  5. Quantify the risk of the data
    • What is the total volume of data with sensitive information that needs to be monitored?
    • What percentage of that data has sensitive information which are PIIs, authorization tokens, passwords etc.?


Next steps depend on accuracy

The accuracy within the classification process will guide your organization’s next steps when it comes to mitigating risk around that data. In doing so, your organization will have a clearer picture of the regulatory requirements attached to all the data you know now about.

What do we mean by that? Here’s just a few examples of why classification of that data is necessary before it sprawls any further:

  • Is it subject to GDPR?  
  • Is it considered sensitive personal information (SPI) (US) or Special Categories (EU)?  
  • Is it healthcare data?  
  • Does it need to be retained for a specified duration?  
  • If it were subject to a breach, would you need to notify the data subject?   
  • If so, what’s the notification timeline?  
  • What rights do subjects have to that data?  
  • If they’re afforded opt-out rights, what is the timeline for meeting that request?  
  • If they’re afforded access rights, what is the timeline for meeting that request?  

Classifying data isn’t just about protecting that information and the company that owns, uses, or transfers it. Compliance with regulatory requirements is a necessity for organizations, and letting data sprawl into the wilds of a business’s ecosystem—or beyond—is the quickest way for your business to find itself in heaps of trouble. 

Automation eases a resource-intense process

Considering how much data is moving around your company’s ecosystem—both structured and unstructured—it’s clearly a resource-intense responsibility to ensure it’s protected and compliant with whichever regulations your organization falls under. 

This is where automation can quickly help your teams classify and de-risk data. An automation tool such as a data classification engine can help you make sense of data, vulnerabilities, and opportunities to optimize resources while activating workstreams across privacy, GRC, data governance and marketing.

Deploying an automation tool to discover and classify data that incorporates the following instruments can drastically change how quickly your organization is able to control data sprawl. Those capabilities should include:

Classification engine: This would go beyond pattern or keyword matching to incorporate additional validations like checksum logic, ignoring repetitive digits, or finding alternate patterns of data such as abbreviations to reduce false positives as well as fully customize the classification to your unique needs without having to write regular expressions from scratch.

Natural Language Processing (NLP) for document classification: NLP discerns the nature of documents and files such as resumes stored in Microsoft OneDrive and SharePoint. NLP also helps locate sensitive information such as religious views or political affiliations which are protected under privacy laws. 

Contextual analysis: Distinguish whether the occurrence of certain content in a file or table refers to name, country, state, or a 5-digit number is a postal code or a customer ID by analyzing not just the specific data element but also the surrounding contextual clues (just like a human reviewing the data would do), reducing the need to perform detailed manual review for each ambiguous data element. 

Indexing data: This would create an identity graph which can automate the process of responding to DSAR requests. 

Optical character recognition: Convert text in images into a machine-readable format, helping you quickly understand that .jpeg in your human resource team’s OneDrive is actually a passport so you can apply the appropriate controls or decide to delete it. 

Global privacy regulation support: This includes classifiers for relevant regulations like GDPR, CPRA, HIPAA, LGPD and more with prescriptive guidance on what sensitive data needs protection per regulation.  

Data relevant for security support: Helps your team identify data elements like authorization token, secret keys, and digital certificates across your ecosystem faster.  

Cluster analysis: Highlights potential duplicate documents containing sensitive data to support opportunities to minimize that data, and cut down on storage costs as well as reduce attack surface area. 

Dashboards: Provides actionable insights into your data ecosystem and also allows you to customize and filter insights that you need to report on. 

Community recommendations: Based on machine learning, this leverages the collective intelligence of 13K data governance, risk, and privacy professionals within the OneTrust community to fine-tune classification accuracy based on user action. 

Data is now currency for businesses, there’s no denying that. How it’s used and cared for is what can keep your organization protected from a security event.

What does it mean to de-risk data, and how do we gain visibility and classification? Join this webinar to learn more.

You may also like


Data Discovery

Live demo: OneTrust Data Discovery

See how OneTrust Data Discovery can help your organization achieve complete data visibility to empower your security program and reduce risk.

June 22, 2023

Learn more


Data Discovery

OneTrust Data Discovery Day: A deep dive into automating data discovery and classification

Join us for a two-hour deep dive into data discovery and how OneTrust helps privacy, IT, and security teams understaind their data and achieve risk reduction goals.

June 13, 2023

Learn more


Data Discovery

Monitoring least privilege access risks

Understand common scenarios for applying data access governance within your business and key considerations for evaluating open access risk.

May 18, 2023

Learn more