Document Name Data Classification, Protection & Retention Policy

Classification Internal Use Only

Document Management Information

Document Title: Data Classification, Protection & Retention Policy

Document Number: ORGANISATION-DAT-CPR-POL

Document Internal Use Only

Classification:

Document Status: Approved

Issue Details
Release Date DD-MM-YYYY

Revision Details
Version
Revision Date Particulars Approved by
No.

<Provide details of
<Provide name of
1.0 DD-MM-YYYY changes made on policy
Approver here>
here>

Document Contact Details

Role Name Designation

<Provide name of author <Provide designation of author

Author
here> here>

Reviewer/ <Provide name of reviewer <Provide designation of reviewer

Custodian here> here>

<Provide name of owner <Provide designation of owner

Owner
here> here>

Distribution List
Name

Need Based Circulation Only

 Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

CONTENTS

1. PURPOSE ............................................................................................................................................................... 4
2. SCOPE ...................................................................................................................................................................... 4
3. TERMS AND DEFINITIONS .......................................................................................................................... 5
4. ROLES AND RESPONSIBILITIES ..............................................................................................................6
5. DATA CLASSIFICATION GUIDELINES .................................................................................................. 7
6. DATA PROTECTION REQUIREMENTS................................................................................................ 10
7. DATA HANDLING AND LABELING STANDARDS........................................................................ 12
8. DATA RETENTION AND DISPOSAL ..................................................................................................... 14
9. DATA OWNERSHIP AND REVIEW ....................................................................................................... 16
10. ENFORCEMENT ............................................................................................................................................... 18
11. POLICY EXCEPTIONS .................................................................................................................................... 19
12. ESCALATION MATRIX .................................................................................................................................. 21
13. POLICY REVIEW AND MAINTENANCE ............................................................................................ 22
 Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

1. PURPOSE
The purpose of this policy is to establish a consistent framework for the classification,
protection, and retention of information assets across [ORG NAME] in order to:

• Ensure that data is appropriately secured based on its sensitivity, regulatory

obligations, and business value

• Prevent unauthorized access, disclosure, alteration, or destruction of information

• Comply with requirements under ISO/IEC 27001:2022, SOC 2 Type 2, and

applicable data protection regulations (e.g., GDPR, DPDP Act)

• Support operational efficiency and reduce risks associated with data

mismanagement, over-retention, or non-compliance

• Promote accountability among data owners, custodians, and users by defining

clear data handling responsibilities

This policy also aims to align data lifecycle management practices—including

classification, labelling, protection, and disposal—with the organization’s overall
information security management system (ISMS) and privacy frameworks.

2. SCOPE
This policy applies to all data and information assets created, received, processed,
stored, transmitted, or managed by [ORG NAME], irrespective of format or location.

2.1 Covered Entities

This policy applies to:

• All employees, contractors, interns, and third-party service providers

• All departments and business units within [ORG NAME]

• All users of [ORG NAME]’s systems and services who handle or access
organizational data

2.2 Covered Data Types

The policy covers, but is not limited to:

• Structured data (e.g., databases, spreadsheets, CRM records)

• Unstructured data (e.g., emails, documents, presentations, PDFs)

• Multimedia data (e.g., recordings, images, videos, CCTV footage)

• Machine-generated data (e.g., logs, telemetry, audit trails)

• Personal and sensitive personal data (as per applicable privacy laws)

• Intellectual property, trade secrets, and proprietary business information

 Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

2.3 Covered Environments

This policy applies across all platforms and data environments used by [ORG NAME],
including:

• On-premises servers and infrastructure

• Cloud-based storage, applications, and SaaS platforms

• Mobile devices, portable storage, laptops, and desktops

• Third-party or outsourced systems where data is processed on behalf of [ORG

NAME]

• Backup systems and disaster recovery environments

3. TERMS AND DEFINITIONS

Term Definition

Any data, document, or digital object that has value to [ORG

Information Asset NAME], including systems, databases, and files that store or
transmit information.

Data The process of categorizing data based on its sensitivity, criticality,

Classification and regulatory or contractual obligations.

The individual or role responsible for determining the

Data Owner classification, access rights, retention period, and protection
requirements of data.

The individual responsible for implementing and maintaining

Data Steward data classification and protection practices in collaboration with
the data owner.

Ensuring that data is accessible only to those authorized to have

Confidentiality
access.

Ensuring the accuracy and completeness of data and preventing

Integrity
unauthorized modification.

Ensuring data is accessible and usable upon demand by

Availability
authorized users.

The length of time that data is kept in an accessible and usable

Retention
form before it is archived or deleted.
Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

Term Definition

Technical and organizational safeguards to secure data

Data Protection throughout its lifecycle, including access control, encryption, and
monitoring.

The process of tagging data with its classification level, either

Labelling manually or automatically, for appropriate handling and access
control.

The permanent destruction or anonymization of data at the end

Disposal
of its retention period using secure methods.

Any information that can directly or indirectly identify an

Personal Data
individual (e.g., name, email, ID number, IP address).

Sensitive Personal Special categories of personal data requiring enhanced

Data protection (e.g., financial data, health records, biometrics).

Data whose compromise could severely impact operations,

Critical Data
reputation, legal compliance, or customer trust.

4. ROLES AND RESPONSIBILITIES

Role Responsibilities

- Approve classification and retention policies

- Provide strategic oversight and risk
Board of Directors / Executive
governance
Management
- Ensure resource allocation and compliance
posture

- Advise on privacy-related classification and

retention
Data Protection Officer (DPO) /
- Oversee personal and sensitive data handling
CPO
- Respond to regulatory and data subject
requests

- Define and enforce security controls per

classification level
Chief Information Security Officer
- Conduct risk assessments and incident
(CISO)
response
- Support ISMS and SOC 2 controls

Data Owners - Assign classification labels

- Define access controls and retention periods
 Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

Role Responsibilities

- Approve sharing and disposal

- Review classification periodically

- Implement classification and protection

controls
Data Stewards / System Owners
- Maintain data inventories
- Support audits and compliance reviews

- Apply encryption, backups, and secure

storage
IT / Infrastructure Teams
- Configure access control and logging
- Automate retention and disposal processes

- Build systems to support tagging and access

control
Application Developers / DevOps
- Implement secure development practices
- Automate protection based on classification

- Handle data per classification and retention

rules
Employees / End Users - Use only approved channels for data storage
and sharing
- Report incidents or misclassification

- Advise on legal/regulatory retention needs

- Validate classification against statutory or
Legal and Compliance Team
contractual terms
- Manage legal holds and audits

5. DATA CLASSIFICATION GUIDELINES

Proper classification of data ensures that information is protected according to its
sensitivity, business criticality, and regulatory obligations. All data assets at [ORG NAME]
must be classified, labelled, and protected accordingly throughout their lifecycle —
from creation or receipt to archival and disposal.

5.1 Classification Objectives

The objectives of data classification are to:

• Ensure appropriate security controls are applied based on data sensitivity

• Minimize risk of unauthorized access, leakage, or misuse

• Support compliance with standards like ISO 27001, SOC 2, GDPR, DPDP, etc.
 Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

• Guide staff in handling, sharing, storing, and disposing of information

• Enable automated enforcement of security policies (e.g., via DLP, CASB, access
controls)

5.2 Classification Methodology

Data must be classified based on the impact of its unauthorized disclosure,
alteration, or unavailability, along with any legal, contractual, or operational risks.
Factors include:

Criteria Evaluation Questions

Would unauthorized disclosure cause legal, financial, or

Confidentiality Impact
reputational harm?

Would incorrect or tampered data affect decisions,

Integrity Impact
operations, or compliance?

Would unavailability disrupt operations or impact critical

Availability Impact
services?

Legal/Regulatory Does the data fall under GDPR, HIPAA, PCI-DSS, DPDP, SOC
Exposure 2, or other requirements?

Is the data a trade secret, intellectual property, financial

Business Sensitivity
report, or competitive information?

5.3 Classification Levels and Examples

Access & Handling

Level Description Example Data Types
Requirements

- Personally Identifiable
Data that, if exposed or
Information (PII)
modified, would cause Access restricted to
- Health/financial data
severe legal, financial, specifically authorized
Restricted - Encryption keys
operational, or reputational roles; strong encryption,
- M&A plans
harm to the organization or audit logs, strict DLP rules
- Source code
individuals.
- Legal case files

Data that could cause - Employee evaluations

Access limited to internal
moderate business or legal - Strategy decks
staff with role-based
Confidential risk if compromised. - Audit reports
controls; encrypted at rest
Intended strictly for internal - Financial forecasts
and in transit
business use. - Internal emails
 Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

Access & Handling

Level Description Example Data Types
Requirements

- Standard operating
Access granted to all
Non-sensitive operational procedures
Internal Use employees; protected
information. Not public, but - Training material
Only through basic access
low impact if leaked. - System manuals
control mechanisms
- Internal memos

- Published reports May be shared externally;

Approved for open and
- Marketing content no access restrictions but
Public unrestricted disclosure. No
- Website blogs must still be approved for
confidentiality risk.
- Press releases release

5.4 Classification Responsibilities

Role Responsibility

Data Assign classification level based on business impact and compliance

Owners obligations

Data
Implement classification through system tags, metadata, or labels
Stewards

Apply access controls, DLP, and encryption policies per classification

IT / Security
level

Handle, store, and share information according to its classification and

End Users
organizational procedures

Ensure classification considers applicable legal and regulatory

Legal / DPO
obligations

5.5 Labelling and Metadata

All classified data must be labelled or tagged using manual or automated tools:

• Email & documents: Header/footer tags (e.g., “CONFIDENTIAL”)

• Files & folders: Metadata applied by DLP or document management systems

• Systems & databases: Classification fields in asset inventories or CMDBs

• Automated enforcement: DLP, CASB, IRM, or cloud labelling policies enforce

usage restrictions
 Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

6. DATA PROTECTION REQUIREMENTS

Each classification level mandates specific protection controls to safeguard the
confidentiality, integrity, and availability of information. [ORG NAME] ensures that all
information assets are protected with security controls proportionate to their
classification level and associated risk.

6.1 General Protection Principles

• Risk-Based Protection: Higher sensitivity → stronger controls

• Least Privilege: Access is restricted to only those with a legitimate business need

• Defence in Depth: Multiple layers of technical and administrative safeguards are

implemented

• Secure by Design: Systems processing sensitive data must embed protection

controls from the outset

• Continuous Monitoring: Classified data must be monitored for access,

anomalies, and leakage attempts

6.2 Protection Controls Matrix

Control Internal Use

Public Confidential Restricted
Category Only

Role-based Explicit approval,

Role-based
Access Control No restrictions access + strict role
access
approval segregation

MFA, device
Authentication Optional SSO MFA + SSO binding, step-up
auth

Mandatory (AES-
Encryption at Mandatory
Not required Recommended 256 with key
Rest (AES-256)
rotation)

Encryption in TLS TLS 1.2+ TLS 1.2+ + IP

TLS required
Transit recommended mandatory restrictions

Data Loss Strict

Active
Prevention Not required Monitor only enforcement,
enforcement
(DLP) real-time alerts

Email/Data Controlled via Restricted to

Allowed freely Internal only
Sharing DLP named
 Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

Control Internal Use

Public Confidential Restricted
Category Only

recipients,
monitored

Encrypted &
Encrypted
Storage Approved access-
Public cloud approved
Location cloud/internal controlled zones
storage
only

Full audit trail,

Logging and Basic access Access logs Access +
alerting, forensic
Auditing logs retained usage logs
readiness

Strict retention
Retention Per retention
As needed Per function limits; legal hold
Control schedule
if required

Encrypted +
Standard Encrypted
Backup Optional access-restricted
backup backup
backups

Locked server
Physical Standard office
NA Secure zones rooms, access
Protection control
logs, surveillance

VPN + approval +
VPN +
VPN endpoint
Remote Access Allowed restricted
recommended compliance
access
check

6.3 Data Protection in Third-Party Environments

When classified data is handled by third parties (e.g., vendors, cloud providers), the
following must be ensured:

• Data Processing Agreements (DPAs) are in place

• SOC 2 Type II, ISO 27001, or equivalent certification of provider is reviewed

• Data is stored and processed only in approved jurisdictions

• Audit rights and breach notification clauses are included in contracts

• Data minimization and pseudonymization are applied where feasible

 Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

6.4 Additional Security Requirements for Restricted Data

Restricted-level data must also comply with:

• Periodic risk assessments

• Annual penetration testing of systems that process such data

• Zero Trust Architecture enforcement

• Continuous monitoring via SIEM, EDR, or CASB platforms

• Strict physical and logical separation from lower-classified environments

7. DATA HANDLING AND LABELING STANDARDS

To maintain consistent protection and regulatory compliance, all classified information
at [ORG NAME] must be properly labelled, stored, accessed, transmitted, and
disposed of according to its classification level. These standards apply throughout the
data lifecycle — from creation to deletion.

7.1 Data Handling Rules by Classification

Internal Use
Activity Public Confidential Restricted
Only

Authorized users, Only by designated

By internal
Creation No restriction classification roles, DLP triggers
staff only
required enforced

Mandatory Mandatory, clearly

Optional
Labelling Optional (document tags labelled:
digital tags
or metadata) header/footer/tags

Public Encrypted Secure, access-

Internal
Storage platforms storage (on-prem controlled, encrypted
servers/cloud
allowed or cloud) zones

Controlled Limited to Strict change control

Editing Unrestricted
within teams specific roles and audit trails

Access Freely Limited to need- Named recipients only,

Internal only
Sharing shareable to-know, logged with approval

Monitored or Discouraged; physical

Printing Allowed Internal only
watermarked protection mandatory

Secure digital
Delete when Cryptographic erasure
Disposal As required wipe or
obsolete / secure destruction
shredding
 Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

Internal Use
Activity Public Confidential Restricted
Only

Encrypted, geo-
Standard Encrypted and
Backup Optional restricted, retention
internal access controlled
reviewed

7.2 Labelling Standards

Labelling of data helps ensure proper handling and visibility across systems and users.
Labels may be manual (e.g., document headers) or automated (via
metadata/DLP/classification engines).

Types of Labels:

Label Field Description

Classification Marked as “Public”, “Internal”, “Confidential”, or “Restricted”

Owner Identifies the department or individual accountable for the data

Retention
Defines how long the data should be kept
Period

Any specific instructions (e.g., “Do not forward”, “Encrypt before

Handling Notes
sending”)

Examples:

• Email Subject: [RESTRICTED] – Payroll Data for April

• Document Footer: CONFIDENTIAL – Internal Use Only – Owned by HR

Department

• File Metadata: Classification tags embedded in SharePoint, DMS, or cloud

storage

7.3 Data Transmission Guidelines

Channel Confidential / Restricted Data

Email Encrypted (TLS + S/MIME or DLP control); no personal emails

File Transfer Secure file transfer protocols (SFTP, HTTPS, MFT)

Cloud Sharing Approved platforms with access logging and expiration controls
 Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

Channel Confidential / Restricted Data

Removable Media Strongly discouraged; must be encrypted and logged if used

Verbal Sharing Only in private, secure settings with authorized individuals

7.4 Visual Labelling Tools and Automation

• Document templates (Word, PDF, Excel) auto-tag classification in
headers/footers

• DLP solutions enforce tagging and classification suggestions during content

creation

• Cloud platforms (e.g., Microsoft Purview, Google Labels) used for auto-labelling
at scale

• Email clients (e.g., Outlook, Gmail) integrated with sensitivity labels and
encryption prompts

8. DATA RETENTION AND DISPOSAL

Proper data retention and disposal practices are critical to reducing storage risks,
ensuring compliance, and minimizing legal and operational liabilities. [ORG NAME]
defines structured rules for how long information should be retained and how it should
be securely disposed of once no longer needed.

8.1 Retention Policy Principles

• Purpose-driven retention: Data is retained only as long as necessary to fulfil its

original purpose or comply with legal, regulatory, or contractual obligations

• Minimization: Excess, outdated, or redundant information must be regularly

purged

• Documentation: All retention periods are documented in a central Data

Retention Schedule

• Exception handling: Legal holds and audits override scheduled deletion until
closure
 Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

8.2 Typical Retention Periods

Data Category Retention Period Reason

Employee records 7 years after separation Labor law, HR compliance

Tax compliance, audit

Financial and tax records 8 years
requirements

7 years post- Limitation of liability, contractual

Customer contracts
termination obligations

Security logs and access Forensic and incident

1 year
logs investigation

Business continuity, audit

Emails 3–5 years
traceability

Marketing consent Until withdrawal or 2 Consent audit, legal proof of

records years permission

As per BCP/DR cycle Business continuity only, not for

Backup archives
(30–90 days) active access

Applicant/resume data Future opportunity

1 year
(unhired) consideration (with consent)

Note: These periods may be adjusted per jurisdiction or client contract.

8.3 Data Disposal and Destruction

When data has reached the end of its retention period — and is not subject to legal
hold — it must be disposed of securely, using the following methods:

Digital Data Disposal

• Permanent deletion using secure erase tools (e.g., DoD 5220.22-M,

cryptographic wiping)

• Cloud-based deletion must follow provider’s secure purge protocols

• Deletion logs retained for audit validation

Physical Data Disposal

• Shredding of paper documents using industrial shredders

• Disposal via certified vendors with certificate of destruction

• Locked bins and chain-of-custody for sensitive physical files

 Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

8.4 Backup and Archival Considerations

• Backups must be encrypted, access-controlled, and isolated from production

• Retention of backup data must not exceed primary data retention policies,
unless required for BCP/DR

• Archived data may only be accessed with justified, documented approval and
is not exempt from disposal policies

8.5 Retention Responsibilities

Role Responsibility

Data Owners Define and approve retention period for each data type

Implement retention settings in systems, backups, and cloud

IT / Infrastructure
platforms

Legal / Define legal hold triggers and exceptions, conduct audits of

Compliance retention adherence

Maintain up-to-date data inventories with retention labels and

Data Stewards
schedules

9. DATA OWNERSHIP AND REVIEW

To ensure that data is appropriately classified, protected, and retained, [ORG NAME]
assigns clear ownership for all information assets. Ownership is critical for
accountability, continuous risk management, and policy enforcement.

9.1 Data Ownership Model

Each information asset must have a designated Data Owner responsible for:

• Initial classification of the data based on sensitivity and business impact

• Defining access rights, protection controls, and retention periods

• Authorizing data sharing and processing by third parties

• Approving secure disposal after the retention period ends

• Ensuring labelling, tagging, and handling requirements are met

• Coordinating with IT and Compliance to enforce applicable regulatory controls

 Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

9.2 Supporting Roles

Role Responsibilities

Implements classification, retention, and labelling on behalf of the

Data Steward
Data Owner; maintains inventories

IT / System Enforces technical controls (e.g., encryption, access restrictions,

Admin retention settings)

Legal / Guides retention based on laws and contracts; handles exceptions,

Compliance audits, and legal holds

Monitors systems for access violations and protection failures

Security Team
related to classification or retention

9.3 Periodic Review of Classification and Retention

To ensure ongoing relevance and compliance, [ORG NAME] requires that data
classification and retention assignments be reviewed periodically, at minimum:

• Annually, or

• Upon a significant business, legal, or system change, such as:

o Regulatory update or new law (e.g., DPDP, GDPR)

o System migration or cloud adoption

o Organizational restructuring or project closure

Each review must confirm or revise:

• The correctness of classification

• The validity of assigned retention period

• Any need for reclassification, relabelling, or legal hold

• The deprecation or secure deletion of obsolete data

These reviews are logged and coordinated by the respective data owner in
collaboration with compliance and IT.

9.4 Reclassification and Deprecation Events

Reclassification or retirement of data may be triggered by:

• Policy changes or revised risk assessments

• Downgrade of business sensitivity over time

Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

• End of contractual obligation

• Data anonymization or transformation

• Decommissioning of systems or repositories

Such changes must be documented and approved by the Data Owner and reviewed
by Compliance.

10. ENFORCEMENT
1. Policy Exception Conditions

Valid exception scenarios may include:

o Use of unclassified or legacy systems for urgent business needs

o Inability to implement prescribed controls due to technical constraints

o Retention beyond normal periods due to litigation hold or audit

requirements

o Delayed labelling or classification automation for new systems or

integrations

2. Policy Compliance

o All users, contractors, and third parties with access to [ORG NAME]'s
systems and data are required to adhere strictly to this Data Classification,
Protection & Retention Policy.

o Any deviation, negligence, or unauthorized behaviour related to access

controls shall be treated as a policy violation.

3. Violation Categories and Examples

o Violations include, but are not limited to:

▪ Sharing or disclosing user credentials

▪ Unauthorized access to systems or data

▪ Failure to remove access during offboarding

▪ Use of shared accounts without approval

▪ Misuse of privileged access

4. Disciplinary Actions

o Depending on the severity, intent, and impact of the violation, disciplinary

actions may include:

▪ Verbal or written warning

▪ Suspension of access rights

Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

▪ Formal HR disciplinary procedures

▪ Termination of employment or contract

▪ Legal action under applicable laws and regulations

5. Incident Management and Reporting

o All suspected or actual access violations must be reported immediately to

the Information Security Team or Security & Compliance Office.

o The incident must be documented and managed as per the

organization's Incident Management Policy.

6. Corrective and Preventive Actions (CAPA)

o Upon conclusion of an investigation, appropriate CAPA measures shall be

taken to mitigate recurrence.

o These may include additional training, technical controls, updates to

workflows, or enhanced monitoring.

7. Appeals and Review Process

o Individuals subject to disciplinary actions may appeal in writing to the

CISO or the designated Appeals Review Committee within 5 working days
of notice.

o The outcome of the appeal process shall be final and documented.

8. Retention of Records

o All enforcement records including investigation reports, logs, evidence,

and communication must be retained securely for a minimum of 24
months, or longer if mandated by regulatory or legal requirements.

11. POLICY EXCEPTIONS

1. Request for Exception

o Any deviation from the defined standards in this Data Classification,

Protection & Retention Policy must be requested formally using the IT
Policy Exception Request Form.

o Requests must contain:

▪ Business justification and scope of the exception

▪ Duration for which the exception is needed

▪ Risk assessment and impact analysis

▪ Any proposed compensating controls

2. Approval Workflow
Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

o All exception requests must follow a structured multi-level approval

process:

Level Approver

Level 1 Department Head / Business Unit Owner

Level 2 Application/System Owner

Level 3 Information Security Officer (ISO)

Level 4 Chief Information Security Officer (CISO)

o The CISO holds final authority to approve, deny, or revoke an exception.

3. Documentation and Register Maintenance

o Approved exceptions must be recorded in the Exception Register

maintained by the Security & Compliance Office.

o Each entry must include requester details, approval chain, expiry date,
and applicable controls.

4. Time Bound Validity and Review

o Exceptions must be time-bound and reviewed periodically.

o Default maximum validity shall not exceed 90 days unless formally

extended and reapproved.

o Active exceptions shall be reviewed monthly to ensure continued

relevance and risk containment.

5. Compensating Controls

o If an exception introduces additional risk, mitigating or compensating

controls must be enforced. Examples include:

▪ Enhanced logging and monitoring

▪ Restricting access scope or duration

▪ Additional user validation or supervision

6. Revocation and Audit

o The CISO reserves the right to revoke an exception if:

▪ The associated risk becomes unacceptable

▪ The business justification no longer applies

▪ Evidence of misuse or policy breach is found

 Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

o All exceptions shall be subject to review during internal and external

audits.

o Non-compliance with the approved terms of the exception may lead to

enforcement actions as defined in Section 11.

12. ESCALATION MATRIX

In case of access management-related issues, violations, or delays in provisioning/de-
provisioning, the following escalation structure shall be followed to ensure timely
resolution and appropriate accountability:

Escalation
Role/Designation Responsibility Contact Mode
Level

Reporting Manager / First-level resolution and Email / Ticketing

Level 1
Team Lead access validation Tool

Review of access
System/Application
Level 2 alignment with business Email / Phone
Owner
roles

Resolution of system-level Internal escalation

Level 3 IT Operations Manager
or technical delays call

Information Security Security assurance and Email / Escalation

Level 4
Officer (ISO) compliance validation Tool

Final authority on policy Direct escalation

Chief Information
Level 5 enforcement and risk via email / formal
Security Officer
mitigation report

• Escalations must be documented through the ITSM tool or equivalent service

desk system.

• Each escalation must include clear description of the issue, impacted

users/systems, time of initial request, and business impact.

• SLAs for resolution based on priority level shall be defined and tracked by the IT
Service Management function.
 Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only

13. POLICY REVIEW AND MAINTENANCE

To ensure continued relevance, accuracy, and compliance with evolving legal,
regulatory, and operational requirements, this policy will be reviewed and updated on
a defined schedule or as required by significant changes in the business environment.

13.1 Review Frequency

• This policy shall be formally reviewed at least once every 12 months

• Additional reviews may be initiated based on:

o New regulatory or contractual requirements (e.g., updates to ISO 27001,

DPDP Act, GDPR)

o Major changes to IT systems, data flows, or organizational structure

o Results of internal or external audits

o Security incidents or classification breaches

13.2 Review and Update Responsibilities

Role Responsibility

Policy Owner Owns the policy, coordinates the review process, and initiates
(CISO) updates

Privacy Officer / Ensures the policy aligns with data protection laws and retention
DPO obligations

Legal & Validates alignment with legal holds, retention rules, and
Compliance regulatory changes

IT / Data Provide input on system capabilities, automation feasibility, and

Stewards enforcement mechanisms

13.3 Version Control and Documentation

• Every change to this policy will be assigned a version number, approval date,
and summary of changes

• The most recent version will be published on [ORG NAME]’s internal policy portal
or document repository

• Archived versions will be retained for a minimum of 3 years for audit purposes
Document Name Data Classification, Protection & Retention Policy
Classification Internal Use Only