Qatar’s leap in data security: Decoding the National Data Classification Policy

The Qatar National Cyber Security Agency’s (NCSA) recently launched National Data Classification Policy (NDCP), marks a significant step towards bolstering data security in the nation. At its core, the Policy is aimed at establishing a unified data classification system to facilitate the exchange of information throughout the country and to ensure the security of such data. It identifies the basic principles that will help in understanding the data classification and governing the important controls of protecting data through its lifecycle. While the Policy covers a broad spectrum, the key highlights and salient features are presented below:

Unified framework for governing data classification

The Policy aims to govern data classification on a national level and provide a common reference for the main principles in data management throughout its life cycle. Under the new Policy, institutions will have a unified reference for classifying data based on the risks they may be exposed to, categorised as high, medium, or low. The Policy defines five levels of classification that are to be used for government entities in Qatar, whereas non-government entities shall use a minimum of four levels of classification.

Focus on risk assessment and data governance

The Policy is based on a set of core principles, with significant emphasis on risk assessment and data governance. Organizations are required to adopt a holistic risk assessment when classifying data, to determine the sensitivity and importance of the data for the projects carried out. The risk analysis must look at the impact of the value of this data within the core business, and consider the potential risks to the confidentiality, integrity, and availability of data. For data classification to be effective, the Policy requires establishing a strong data governance framework with clearly defined roles and responsibilities for different stakeholders. Additionally, it emphasizes the importance of understanding the nature of data, adopting a lifecycle approach and balancing needs between risks and classification.

Integration of data management lifecycle

The process of classifying data must consider data lifecycle. A key tenet of the Policy is the integration with the data lifecycle approach, that requires organizations to map the level/degree of classification to the stage of data lifecycle. Accordingly, classification process/framework must follow the most important stages of the data lifecycle viz., data discovery, data classification, data protection, data reassessment and data decommission.

Implementation of security controls

The Policy requires that organizations apply the security controls to protect data depending on the level of classification selected and in accordance with applicable national standards and guidelines issued by the NCSA. Importantly, the selected controls must be subject to the state of the data, as it may be either data-in-transit, data-in-use, or data-at-rest. Further, organizations must create inter-departmental working groups to implement the initiative, conduct employee training & awareness sessions, and deploy appropriate technical solutions to facilitate the process of data classification, including data inventory, classification tools, adding tags etc.

Establishment of roles and responsibilities

The role of ‘Chief Data Officer’ is central for managing the governance and implementation program for Data Classification. The CDO’s role requires him/her to align the expectations of the business stakeholders on data security, impart the relevant skills to the different users, and develop the necessary policies and procedures. The Policy also lays down the roles of data owner, data custodian, data user, data classification specialist, and data auditor who will be responsible for various facets of data classification across the different stages of the data lifecycle. .

Conclusion

Qatar’s NDCP is a commendable step towards a secure digital future for the nation. The commitment to a robust data protection framework signals the nation’s dedication to safeguarding its digital assets and its ambition to position Qatar at the forefront of digital resilience in an interconnected global economy. With its ever-growing emphasis on technological advancements, such policy initiatives by Qatar establish a foundation of trust and integrity. However, while its introduction is commendable, the efficacy of this policy will ultimately be gauged by its robust implementation and continuous adaptation to the evolving technological and cyber threat landscape.

Get started with your NDCP journey today with SISA Radar – Data Discovery and Classification solution. Leverage SISA Radar to classify data in English and Arabic, no matter where it is located. To know more about how SISA Radar can help you in your data security and governance program, download the brochure.