GDPR: data classification and retention

In this data focused video will discuss the approach for data asset protection, including gathering key data classification and governance for stakeholders to define and agree upon.



View all episodes of the "KPMG Privacy" video series.





  • Welcome to the fourth “how-to” GDPR video in KPMG’s privacy video series.
  • This video is the second of three focused on how to address data under GDPR.
  • We will discuss how to classify data and leverage this approach for data asset protection, building on the knowledge of personal data set forth in the previous video.


  • An important first step is to identify data classification and governance stakeholders to define and agree to the following:

1.  Personal data classification levels applicable across the entire enterprise

2.  Data governance controls associated with each personal data classification level, including security requirements, retention period and destruction method.

3.  Approach to maintaining data classification program, including ownership

  • Work with businesses to identify owners of personal data related to prioritized higher risk processes, and continue the data classification program rollout based to priority.
  • Work with those data owners to assign personal data assets a data classification level, and review governance controls. 


  • We appreciate your time and attention as we address the foundational understanding of data.
  • Thanks for watching.
Ahead of the curve
Managing data in the wake of GDPR

Related content

Steven Stein

Steven Stein

Principal, Cyber Security, KPMG US

+1 312-665-3181
View more

Strategy and governance

Cyber security: it’s a business issue, not just an information technology issue.

Subscribe to KPMG Cyber Security services


Explore KPMG Cyber Security careers