← Back to case study
Portfolio sample · Arcline is fictional
Arcline · Data Governance Council

Classification & Incident Response Quick Reference

The practitioner reference for the data governance framework. Tier definitions, response protocols, ownership model.

Version 2.4 Updated Q2 2025 Stewards & Practitioners
Section 01

Data Classification: Four Tiers

Classify all data assets by sensitivity, regulatory exposure, and business impact of unauthorized disclosure. The tier determines protections, response timelines, and the accountability chain.

Tier 1 — Restricted. Regulatory mandate GDPR Art. 9 CCPA HIPAA PHI or contractual liquidated damages. PII above re-identification threshold. Breach: mandatory notification within 72 hours. Your action → Flag for DDO classification approval. Do not reclassify without DGC sign-off.
Tier 2 — Confidential. Material business harm, no mandatory notification. Pre-release financials, vendor MFN terms, pre-board audit findings. Access: named roles per RBAC matrix §4.1. Your action → Maintain access list, quarterly review, process sharing via DSA.
Tier 3 — Internal. Low risk. Departmental docs, internal comms (no litigation hold), de-identified datasets 45 CFR §164.514(b). Baseline AES-256. Your action → Catalog maintenance. Reclassify upward if context changes.
Tier 4 — Public. Cleared per §6.3. Reclassification to restricted requires DGC approval + retroactive audit.
Section 02

Incident Response: What You Do and When

Step 1 — Report

File a Data Incident Report (DIR) in the GRC platform. Deadline: 4 hours from discovery.

Step 2 — Notification

The DIR auto-notifies the DGC duty officer, your Domain Data Owner (DDO), and the Information Security Incident Response Team (ISIRT).

Step 3 — Triage

DGC duty officer classifies within 2 hours of DIR receipt:

Cat A
Confirmed Tier 1, external exposure. Full breach protocol §5.3. Executive briefing within 6 hours.
Cat B
Confirmed Tier 2 or Tier 1 contained. DDO-led response §5.4. Target resolution: 48 hours.
Cat C
Suspected, unconfirmed. ISIRT investigation. 5 business days to classify or close.
Unsure if it qualifies? File the DIR. Under-reporting is the bigger risk.
Section 03

Ownership and Escalation

Every data domain has three defined roles. Governance decisions flow from Owner to Steward to Custodian. Incident reports flow in the opposite direction.

Owner

Domain Owner (VP-level)

Sets classification policy. Accountable for regulatory compliance within their domain. Makes the final call during a Category A incident.

Steward

Data Steward (day-to-day governance)

Your first point of contact for any data question. Maintains access lists and runs quarterly reviews. Coordinates with legal as needed.

Custodian

Custodians (technical implementation)

Implements controls and manages encryption. Handles access provisioning based on steward and owner directives.

For most day-to-day questions, your steward is your first contact. Escalate to the Domain Owner for classification disputes or incidents that may cross domain boundaries.