FROM LABELS TO OUTCOMES: HOW TO MAKE CLASSIFICATION CHANGE RECOVERY FOR REAL – A BLOG BY SEAN PEDROSA

Regulators want evidence and boards want outcomes. Classification earns its keep when it shortens time to recover and reduces loss. This blog sets out the patterns that link labels to controls and the tests that prove it works. 

Why data classification matters now 

Global data volumes keep climbing, with the majority of enterprise data unstructured. That scale makes manual governance impractical without discovery and automation.
Regulators are also raising the bar. DORA has been in force since 17 January 2025. It requires robust ICT risk management and operational resilience, including testing, with financial entities and their critical third parties expected to evidence their ability to withstand and recover from disruption.
In the UK public sector, Government Security Classifications set expectations for appropriate labelling and handling of information assets. Even outside government, the principle is clear: classify what matters and handle it accordingly.
On Microsoft estates, sensitivity labels have become a first-class control surface. Labels can drive encryption, access and DLP policies that travel with the content. 

Outcome first: make classification move RPO and RTO 

• If a label does not alter a policy, it is only a tag. 

• Map labels to controls that shorten RPO and RTO. 

• Evidence the impact in clear board reports. 

Examples: higher-criticality data gets tighter backup schedules, immutability and off-platform copies. Crown-jewel datasets are isolated for cyber recovery with malware scanning and last-known-good selection. Less critical data gets cost-aware defaults. 

The cost-control upside (the quiet win) 

Knowing what the data is, where it lives and who owns it lets you assign accountability for how it is stored and protected. That transparency avoids over-protecting low-risk data and channels spend to what matters. 

Practical patterns: 

• Tiered protection by label: premium storage, frequent snapshots and immutability for High-criticality; standard tiers, longer RPOs and cheaper archives for Low. 

• Retention by label: longer, provable retention for regulated data; shorter or event-based retention for non-essential content. 

• Chargeback/show back: report storage, backup and egress costs by label and data owner to drive informed decisions. 

• ROT reduction: use discovery to find redundant, obsolete and trivial data and apply defensible deletion policies, reducing footprint before you protect it. 

Two lenses that keep schemes usable 

Sensitivity: who can see it and what happens if it leaks. Use low, moderate, high impact definitions aligned to the CIA triad.
Criticality: how fast the business needs it back. Tie this to your Minimum Viable Company (MVC) view and application recovery tiers so labels flow into runbooks and sequencing. MVC mapping and rehearsal workshops helps formalise this through MVC workshops and service catalogues. 

Start with discovery, not labels 

You cannot classify what you cannot see. Run a lightweight discovery to map where sensitive and business-critical data actually lives, especially the unstructured sprawl across shares, Microsoft 365 and SaaS.
Where Microsoft 365 is in scope, use Microsoft Purview trainable classifiers and auto-labelling to accelerate tagging across SharePoint, OneDrive and Exchange, then validate high-risk hotspots with data owners and subject-matter experts. 

Add a cost pass: identify top storage consumers and ROT candidates; quantify cost by repository and label to create a baseline for optimisation. 

Keep classification practical 

• Keep it small. Use a handful of Sensitivity and Criticality levels with plain-English examples. 

• Make it actionable. Each label must trigger specific protection and recovery behaviours. 

• Be auditable. For regulated data, the label should make the required controls obvious and provable. 

• Be accountable. Publish a simple matrix of data owners by label with show back so they see the cost and risk of their estates. 

Make labels change reality 

Bind labels to backup, disaster recovery and cyber recovery policies so the right datasets get the right frequency, immutability, isolation and restore priority. 

Prove it works 

Test, not just document. Run a labelled restore end to end; issue a board-ready summary of results and fixes, including which assets met target RPO and RTO. Include a cost delta by label to show where optimisation reclaimed spend. 

Your first 90 days 

• Weeks 1-2: Map business priorities, agree simple labels and run light discovery. 

• Weeks 3-6: Pilot in one area. Wire labels to protection and recovery policies. 

• Weeks 7-10: Run a workshops and board-ready summaries exercise, complete one labelled restore and publish the action plan. 

Common pitfalls 

Too many labels. No policy binding. Ignoring unstructured or SaaS data. No board-level reporting on RPO and RTO. Protecting everything the same and overspending on low-risk data. 

Readiness checklist 

• Do your labels change at least one control that affects RPO or RTO? 

• Can you show, by label, which datasets are immutable and isolated? 

• Do runbooks use criticality to sequence recovery? 

• Have you executed a labelled restore in the last quarter? 

• Can you brief the board with outcomes by label (met/failed and fixes)? 

Next step: Use the checklist above to shape your first pilot.