Define data classification and its impact on security controls in Annex B.

Data classification is the process of categorizing data by sensitivity and criticality to determine protection requirements and handling standards. By assigning levels (for example, public, internal, confidential, highly sensitive), an organization can apply appropriate security controls rather than a one-size-fits-all approach. This directly shapes what you must do to protect the data: who can access it, what encryption is required, how it should be stored and transmitted, how it should be shared, and how it is disposed of at the end of its life. The goal is to ensure that protection is aligned with the value and risk of the data, so highly sensitive data receives stronger controls while less sensitive data can have lighter requirements. In Annex B practice contexts, data classification provides the framework for selecting and implementing controls that align with the assigned level, ensuring consistency in handling standards across different data types. The other options describe actions in the data lifecycle—deleting after use, archiving to save space, copying data for redundancy—but they do not specify how data should be protected or handled based on its sensitivity, so they don’t define how security controls should be applied.