Information Protection

Sensitivity Labelling: Everything You Need to Know

  • By The Cloud Factory
  • June 18, 2022

The world is running on the digital 2.0 path at a breakneck pace, and the speed has gathered momentum after the onset of pandemic. It has changed the face of the workplaces forever. Now, people in the organization collaborate and communicate both from office and remotely. That means people in your organization collaborate with others both inside and outside the organization. This means that content no longer stays behind a firewall—it can roam everywhere, across devices, apps, and services. To secure content while it's on the move, the first thing you need to do is to identify the business-critical data and then classify them based on the sensitivity-labels. It is important to frame an information protection framework to ensure who has access to the data.

Classifying sensitive information

Organizations should clearly define the level of sensitivity for each type of data. This is the first step toward building a robust information protection framework. Some data, such as customer credit card numbers or bank transfer details are obviously sensitive. In many cases, it becomes difficult to classify.

What is classified data?

The definition of what constitutes “classified” information varies greatly between organizations; a national pizza chain might consider the ingredient list for their secret sauce to be classified information that should never be shared externally, whereas another organization might not consider it sensitive at all. The first step in securing your cloud ecosystem like Microsoft 365 is to have a clearly defined data classification scheme for your organization.

Why sensitivity labelling matters

Categorizing your data by level of sensitivity helps you better understand where sensitive data lives, what users are doing with it, and why it could be at risk. Data classification provides an interface for organizations to implement controls and procedures across data formats, structures and storage technologies.

Properly classified information allows an organization to define and implement a single policy for handling sensitive data across multiple systems and data objects. Data classification adds business context to applications, making it easier for organizations to apply the right level of security control. Admins can easily enable Sensitivity Labels, which allows you to define the privacy of content in all Microsoft 365 containers, including SharePoint sites, Microsoft Teams, and Microsoft 365 Groups.

Types of Sensitivity Labelling

Broadly, here is the following types of data in a typical cloud ecosystem:

Public Use

The public label is placed on information that is available to the general public and intended for distribution outside an organization. This information may be freely distributed without harm because it's already in the public domain.

Confidential Information

The confidential classification label applies to information that could be used to harm the business if it falls into the wrong hands. Examples of this type of information include intellectual property, financial statements, customer contact information and employee pay rates.

Restricted / Business Use

The "business use only" classification label applies to information that is used in everyday business matters. The "business use only" classification label applies to any information that is used in the business and cannot be released to the public, lest it put the company or its employees at risk.

Secret Information

Some organizations add an additional level of protection to their confidential material. For example, a health organization might label medical records relating to mental health, sexually transmitted diseases, HIV testing and substance abuse as "highly confidential" to indicate that unauthorized disclosure, modification or destruction would seriously harm the organization, its customers or employees.

What sensitivity labels can do for you

  • You can use encryption to protect your emails and documents.
  • You can choose which users or groups are able to perform which actions, such as modifying a document, and for how long. For example, you might allow all users in your organization to modify a document while only a specific group in another organization can view it.
  • Alternatively, instead of administrator-defined permissions, you can allow your users to assign permissions to the content when they apply the label.

Proper Configuration matters

Here it is important to understand the role of configuration in data classification and labelling. Microsoft 365 offers a range of services for data classification and Data Leak Prevention (DLP) and as per different requirements, but you can take advantage of this only when you have appropriate license in place and proper configuration done. That is where it becomes important to select competent Microsoft partner for proper guidance.

Final Thoughts

Identifying and classifying business critical information is the first step towards building a robust information protection framework in the cloud ecosystem. We hope you have a clear idea of why classifying data is important and other aspects governing sensitivity labelling.

If you are looking for a reliable and experienced Microsoft 365 partner who can help you identify right licensing plan as per your security and business needs and help you set up proper data classification, sensitivity labelling and data loss prevention configuration, The Cloud Factory can help you navigate smoothly.

You can reach out to us at and we will be happy to assist you.