Definition
Data Classification Settings is a Setup page where administrators enable and configure the data classification framework for the org. This framework allows organizations to tag fields with sensitivity levels (such as Public, Internal, Confidential, Restricted), compliance categories (GDPR, HIPAA, PCI), and data ownership information.
Real-World Example
The admin at Apex Dynamics enables Data Classification Settings and configures the default sensitivity level to "Internal" for all new custom fields. She then sets up compliance categories for GDPR and CCPA, making it mandatory for developers to classify every new field they create, ensuring the org maintains a clear inventory of sensitive data.
Why Data Classification Settings Matters
Data Classification Settings is a Setup page where administrators enable and configure the data classification framework for the entire org. Once enabled, the framework allows organizations to tag every standard and custom field with a sensitivity level (Public, Internal, Confidential, Restricted), one or more compliance categories (GDPR, HIPAA, PCI, CCPA), and a data owner. Administrators can set a default sensitivity level that automatically applies to all new custom fields — for example, defaulting to "Internal" ensures that no field is created without at least a baseline classification. The settings page also controls whether compliance categories are available and which ones appear in the classification picker.
Data Classification Settings is the foundation for data governance in Salesforce and is especially important for organizations subject to privacy regulations. Without it, there is no structured way to document what type of data each field contains, who owns it, or which regulations apply. Enabling the framework is typically one of the first steps in a data governance initiative, followed by a bulk classification effort using Data Classification Upload. Organizations that skip this step end up with an unclassified org where privacy officers cannot confidently answer auditors' questions about where PII lives and how it is protected. The settings also integrate with compliance reports and the Data Classification Download feature, creating a complete lifecycle from classification to verification.
How Organizations Use Data Classification Settings
- Apex Dynamics — Apex Dynamics' admin enabled Data Classification Settings and set the default sensitivity level to "Internal" for all new custom fields. She then configured compliance categories for GDPR and CCPA, making it visible in the field classification interface. This default ensures that developers who create fields during sprints start with at least a baseline classification, and privacy officers can easily filter for fields that need higher sensitivity levels.
- Coastal Health Network — Coastal Health Network enabled Data Classification Settings with HIPAA as a mandatory compliance category. The admin configured the framework so that all fields containing Protected Health Information (PHI) must be classified as "Restricted" with the HIPAA tag. This configuration supports their compliance audit process and integrates with their quarterly Data Classification Download reviews.
- TerraFin Banking — TerraFin Banking's data governance council used Data Classification Settings to establish four sensitivity tiers matching their internal data handling policy. They configured Custom compliance categories for PCI-DSS and SOX in addition to the standard ones. The framework now enforces that every field in the org is mapped to one of these categories, and unclassified fields appear in a monthly governance report for remediation.