Define Data Categories
The Data Categories page (screenshot below) is accessed from the Overview page. It lists the data categories that have been defined and enables you to manage data categories. Here, new data categories can be added (click New Data Category), existing data categories can be edited (click the Edit icon of a data category), and existing data categories can be deleted (click the Delete icon of a data category).
When you add a new data category or edit a data category, a page with the data category's details is displayed (see below). On this page, you can edit the definition of the selected data category.
Example
In our example (see screenshot above), we have created data categories to describe basic personal data of customers and employees.
Points to note
Note the following points about data categories:
•You are free to define data categories as you like and according to what is suitable for your purposes.
•Each data category is composed of the data classifications of the system, for each of which one (or more) of that classification's allowed values is assigned. (Values do not need to be assigned for non-mandatory classifications.)
•A data category can cover as broad or narrow a field of data as is suitable. For example, you might create individual data categories for first name, last name, street, building number, city, postal code, country, and so on. Alternatively, you might create a single data category to contain the customer's name, address, telephone number, email address, and credit card details. The disadvantage of the first (narrow) categorization is that for each data category, values must be assigned to all the mandatory classifications, as well as maintained over time—which could prove very time-consuming, difficult, and tedious, besides being unnecessary. The disadvantage of the second (broad) approach is that multiple data items of quite different types and security significance will be clubbed together—for example, address and financial information—and could prevent a sensible breakdown of data into categories needing different levels of protection. You should create data categories that are appropriate. In our example, for instance (see screenshot above), we have created separate data categories, respectively, for the customer's (i) name and ID, (ii) mailing address, (iii) IP address, and (iv) credit card details.
•The key GDPR rule to hold to is that all the data you collect must be covered by the data categories you define.
Create or edit a data category
The definition of a data category (see screenshot below) consists of: (i) a name and description, and (ii) the system's data classifications, each with one or more allowed values selected for it. For example, the screenshot below shows the data category named Customer Credit Card Data (refer also to the screenshot above). The top pane contains the category's name and description. The bottom pane contains the system's data classifications, for each of which you can select one or more of the allowed values from the respective combo boxes. For example, the first data classification in the screenshot below is Data Subjects, and the value selected in its combo box is Customers. Additional information about the selection has been added in the Description field. The second data classification is Encryption. The third data classification is Protection Measure, which can take multiple values
Note the following points about how the data classifications of a data category are specified:
•All the data classifications that have been configured for the compliance database are displayed.
•For each classification, select from among its allowed values. Alternatively, you can add a new value to the classification directly from the value field's combo box; to do this click the +New Value item. If you enter a new value via the combo box, the value will automatically be added to the global definition of that classification.
•A mandatory classification (defined via the classification's Mandatory value property) is displayed in red if no value is selected for it.
•If a data classification has been defined to allow multiple values (via its Multiple values allowed property), then (in the definition of the data category) the value field's combo box (of that data classification) will drop down a list of check boxes—which allows you to select multiple values (see screenshot below).
•The Save button of the Data Categories page becomes enabled after (i) the data category has been given a name, and (ii) a value has been selected for every mandatory data classifications.
•When modifying the definition of a data classification, it might be desirable for modifications to be approved by a person with oversight of the system. If approval is required, then the Request Approval check box should be checked. In such an event, the request will appear in the Approval Requests list.
After modifying the definition of a data category, click Save to save the changes.
Relationships with other metadata
A data category has the following relationships with other metadata:
It selects... | Which sets up... |
The value/s of classifications in the definition of the category. | |
An approval request for a change to a data classification. |
It can be selected for... | Which sets up... |
To which data categories data that is used by the processing activity belongs. | |
The data category of each data tier of the storage entity. |