Data Classification Made Simple for SMEs | Protect What Matters Most
Das Wichtigste in Kürze
- Data classification with Microsoft Purview: Baggenstos recommends a pragmatic start with manual labelling (shareable, not shareable, management-only), then step-by-step automation
- Four-stage roadmap: take stock in a workshop, assign responsibilities, define access restrictions, implement with regular review
Data is the lifeblood of modern organisations. However, when data ends up in the wrong hands or resides in inappropriate locations, it becomes a liability. Data breaches can pose an existential threat—for example, when cybercriminals publish sensitive information or demand substantial ransoms. In every case, data loss damages reputation. Moreover, breaches of regulations such as the Swiss Data Protection Act (FADP) or the European GDPR can result in significant fines.
Start with manual classification
Effective data classification lays the foundation for sustainable data protection and robust access controls. However, as Sven Nittmann, Cloud Solution Engineer at Baggenstos, observes, the topic is still evolving—particularly among SMEs. This is increasingly driven by the adoption of tools such as Microsoft Copilot, which organisations want to operate within clearly defined and secure boundaries. Uncertainty often exists around both the approach and the scope of the work involved. Sven reassures: “The effort required for implementation is manageable. The real challenge lies in consistently adhering to the classification model once it has been established.”
Baggenstos takes a pragmatic approach and recommends starting with manual labelling using Microsoft Purview.“Keep it simple,” says Sven. “A good starting point is to distinguish between shareable and non-shareable data.” A third category can be introduced for management-level information—data that should not be accessible within lower levels of the organisation during day-to-day operations.
Automation as the next step
As data volumes grow and organisational structures become more complex, the classification framework naturally evolves. Additional labels may be required—for specific projects, products, or highly sensitive business areas. Another viable approach is to classify data based on potential impact—from “no impact” through to “business-critical” or “existential risk.” However, the priority should be to ensure that manual labelling works effectively. Only then should organisations move towards automation. AI can analyse manually applied labels and help scale the system accordingly.
“Automation requires rigorous work on classification criteria,”
Sven emphasises.Sven Nittmann, Cloud Solution Engineer
Creating awareness of data classes
The true value of data classification often only becomes apparent after a breach—whether caused by a cyberattack or human error. The outcome is the same. Data classification forms part of a comprehensive security framework, alongside passkeys and intelligent identity and access management. Within Microsoft 365, files with certain labels can automatically be restricted from being shared, or users can be prompted—via configurable notifications—to comply with data protection requirements. Microsoft Purview provides holistic protection by securing files rather than just storage locations. In short, the platform delivers full visibility across the organisation’s data landscape while ensuring security, governance, and compliance.
An iterative approach
Data classification is inherently iterative and requires a structured, phased approach. Organisations must first establish:
• Where data resides
• Who currently has access
• How data is being shared
A workshop setting helps shape the future data model. For SMEs already operating within the Microsoft ecosystem, an initial, practical model can be developed within a matter of days, according to Sven Nittmann. If integrations with third-party systems are required, the initiative may evolve into a multi-week IT project. The most challenging aspect remains awareness: “SMEs need to understand the risks they are taking if they do not classify their data.”
Roadmap
Implementation varies by organisation, but typically includes:
- Baseline assessment through a workshop
- Assignment of responsibilities
- Definition of access restrictions
- Implementation and ongoing review, including refinement of classification categories
Learn more
