data classification

Data classification is the process of organizing data into defined categories or levels based on its sensitivity, regulatory obligations, and potential business impact if it is accessed, changed, or lost without authorization. In industrial and regulated manufacturing environments, data classification typically covers both IT and OT data, including production records, quality data, engineering documentation, and personal or proprietary information.

What data classification includes

In practice, data classification usually involves:

• Defining a set of categories or levels (for example, public, internal, confidential, restricted)
• Assigning each category clear criteria, such as regulatory drivers, privacy expectations, or commercial sensitivity
• Labeling data assets (documents, databases, logs, MES/ERP records, historian tags) with the appropriate classification
• Using the assigned classification to guide access control, encryption, logging, retention, and sharing rules

In regulated manufacturing, classification schemes often distinguish between:

• Personal data and identifiers (for example, employee IDs, operator badges, HR records)
• Product and batch data (for example, batch records, device history records, quality results)
• Technical and export-controlled data (for example, CAD models, process recipes, work instructions)
• Business and financial data (for example, pricing, supplier terms, demand forecasts)

Operational role in manufacturing systems

Data classification has a direct effect on how manufacturing and enterprise systems are designed and operated. Classification typically influences:

• Access control: Which roles can see or edit specific data in MES, ERP, LIMS, SCADA, or data lake environments
• Logging and monitoring: What is logged, how detailed logs are, and which identifiers are masked or pseudonymized
• Data retention: How long different categories of data are stored and in which repositories
• Data movement: Which data may be replicated to cloud analytics platforms, test environments, or external partners
• Export controls and privacy: Constraints on where data can reside geographically and who may access it

In brownfield environments with legacy MES/ERP and long-lived equipment, formal data classification is often layered on top of existing systems, driving configuration changes, new data flows, or compensating controls.

Relationship to security and privacy baselines

Data classification commonly provides the input for both security and privacy baselines. Security baselines describe the minimum technical controls for each classification level, while privacy baselines define how identifiable or sensitive information may be collected, used, and exposed. Together they determine how tools such as log aggregators, monitoring systems, and backup solutions are configured around different data categories.

What data classification is not

• It is not the same as access control, although classifications are used to set and review access rules.
• It is not a specific security technology or product; it is an organizational scheme and associated process.
• It is not limited to documents; it also applies to databases, application fields, telemetry, and production records.

Common confusion

• Data classification vs. data labeling: Classification is the policy and decision logic; labeling is the act of marking data with that classification in systems.
• Data classification vs. data categorization: Categorization may group data by topic or type (for example, maintenance vs. quality), while classification groups by sensitivity and protection needs.
• Data classification vs. information lifecycle management: Classification is one input to lifecycle decisions such as retention, archival, and deletion, but not the lifecycle process itself.