ABSTRACTData security is a critical concern for organizations. In a rush to protect data, some IT managers overlook the important first step of data classification and instead focus on implementing the strictest controls on all data to reduce risk. To investigate organizational processes surrounding data classification, we conduct interviews with 27 CISOs in 23 organizations. We develop a model that identifies the common themes of data classification and their interrelationships. The most common driver for data classification is compliance with data privacy regulations and security standards. Collaboration and employee education are essential to the process. Increases in employee awareness of data security risk and improvements in data hygiene are outcomes. Challenges to data classification include the increase in IT landscape complexity, maintenance of an accurate data inventory, immaturity of automated tools, limited resources, and user compliance. Our model provides insights for practitioners and identifies areas of interest for researchers.