Data Classification Policy
Version 1 - Approved by Sakhil Chawla
Contents
- 1. Objective
- 2. Scope
- 3. Policy Statement
- 4. Data Classification Definitions
- 5. Document Security Classification
- 6. Labeling of Information
- 7. Non-Compliance
- 8. Responsibilities
- 9. Schedule
- 10. Version History
1. Objective
The Data Classification Policy provides a way to categorize any data processed by the NOT GEORGE TECHNOLOGIES staff, software, and systems. The purpose of this policy is to establish a framework for classifying data based on its sensitivity, value, and criticality to the organization. By understanding the types of available data, their classification, and access level, one shall be able to map the appropriate access or level of protection needed. This clarity ensures that critical company data can be secured.
2. Scope
The NOT GEORGE TECHNOLOGIES Data Classification Policy applies to all the data handled, managed, stored, or transmitted by NOT GEORGE TECHNOLOGIES and the NOT GEORGE TECHNOLOGIES staff. Managers and information owners shall assign the appropriate classification as and when required.
3. Policy Statement
Each individual at NOT GEORGE TECHNOLOGIES shall be responsible for reviewing, adhering to, and handling data according to the classification levels defined below. The Data Classification definitions below provide a list of various types of data and their classification levels. In case of difficulty in identifying a specific data element or uncertainty regarding the associated risk and appropriate classification and handling, individuals are encouraged to contact NOT GEORGE TECHNOLOGIES's Information Security Officer for guidance and assistance.
4. Data Classification Definitions
NOT GEORGE TECHNOLOGIES’s data is classified as follows:
4.1 Public Data
This data or information may be shared with any person, organization, or system regardless of their relationship with NOT GEORGE TECHNOLOGIES. This classification is not limited to data or information meant for public consumption but also includes any data or information that requires no special handling or any kind of safeguarding from disclosure. The distribution of such data does not expose NOT GEORGE TECHNOLOGIES, its customers, or its partners to any harm.
Examples of Public Data include product blogs, company websites, press releases, marketing collaterals, career pages, etc.
4.2 Company Internal Data
This data shall be accessible by all staff within NOT GEORGE TECHNOLOGIES and may be required for the smooth operational functioning of the organization. Such information shall not be made available to parties outside NOT GEORGE TECHNOLOGIES but may be shared if requested.
Examples of Company Internal Data include Information Security Policies & Procedures, HR Policies, Leave Policies & Holiday Lists, Operational Procedures, etc.
4.3 Company Confidential Data
This data & information shall be accessible by pre-authorized staff members and shall not be made generally available within NOT GEORGE TECHNOLOGIES. Unauthorized access or disclosure could cause significant financial or material loss and poses a risk to NOT GEORGE TECHNOLOGIES if exposed. Such exposure can lead to breaking contractual obligations and may adversely impact NOT GEORGE TECHNOLOGIES, its partners, employees, and eventually its customers. Such information needs to be protected from unauthorized access and changes. Note that access to such data may also be limited to specific staff members or groups of staff members like executives, HR, legal teams, etc.
Examples of Company Confidential Data include employee salaries, legal documents, internal product specifications, customer lists, strategy documents, internal roadmaps, design documents, internal memos, emails, etc.
4.4 Customer Confidential Data
This data, if accessed by unauthorized parties, may adversely affect NOT GEORGE TECHNOLOGIES’s customers. This includes data that NOT GEORGE TECHNOLOGIES is required to keep confidential, either by law or under a customer agreement. The company needs to protect such information from unauthorized access and unauthorized modification. Customer Confidential Data needs to be safeguarded when it is stored, processed, used, and transmitted.
Unauthorized access to such data can violate contractual confidentiality agreements with customers, cause a security incident, or affect NOT GEORGE TECHNOLOGIES’s customer and industry confidence.
Examples of Customer Confidential Data include data provided by customers by using our system, information on customer accounts, personally identifiable information of customers (or customers’ customers), etc.
4.5 Personal Data
This data, if accessed by unauthorized parties, may adversely affect the privacy of individuals.
Personal Data refers to any data relating to an identifiable individual or person. This includes data NOT GEORGE TECHNOLOGIES is required to safeguard, either by law (GDPR for EU citizens’ data) or under a customer agreement. The company needs to protect such information from unauthorized access and unauthorized modification. Personal Data needs to be safeguarded when it is stored, processed, used, and transmitted.
Unauthorized access to such data may potentially violate the law, break contractual data protection agreements with customers, cause a security incident, or affect NOT GEORGE TECHNOLOGIES’s customer and industry confidence.
Examples of Personal Data include name, email, phone number, IP Address, political views of individuals, cookies, Personal Health Records, Credit Card information, etc.
Note that personal health records, credit card information, and other sensitive personal data may be subject to additional laws based on the location of the owner of such data. For example, HIPAA regulations shall apply to US citizens' personal health information.
5. Labeling of Information
Depending on the requirements, the asset owner should label data/information based on the data classification policy. Labeling methods for physical and electronic information could include appropriate tagging of information based on their classification.
In general, most of the critical information managed by the company is in an electronic format.
6. Document Security Classification
Company Internal (as described in section 4.2 of this document).
7. Non-Compliance
Compliance with this policy shall be verified through various methods, including, but not limited to, automated reporting, audits, and feedback to the policy owner. Any staff member found to be in violation of this policy may be subject to disciplinary action, which may include termination of employment or contractual agreement. The disciplinary action shall depend on the extent, intent, and repercussions of the specific violation.
8. Responsibilities
The Information Security Officer is responsible for approving and reviewing policy and related procedures. Supporting functions, departments, and staff members shall be responsible for implementing the relevant sections of the policy in their area of operation.
9. Schedule
This document shall be reviewed annually and whenever significant changes occur in the organization.
End of Data Classification Policy. For version history, please see the next page.
Version History
| Version | Log | Date |
|---|---|---|
| 1 | Current Policy version approved by Sakhil Chawla | 06 May, 2026 |
| 1 | New policy version created | 06 May, 2026 |