Object Tagging, Data Classification, and Privacy Policies

1. Object Tagging, Data Classification, and Privacy Policies

Dynamic Data Masking and Row Access Policies assume you already know which columns contain sensitive data. At Claro's scale — hundreds of tables, multiple schemas, a global user base — that's not always true. This video covers the tools Snowflake gives you to find, label, and systematically protect sensitive data.

2. The Scale Problem

Claro has hundreds of tables. Some contain operational data with no sensitivity. Others contain PII like names and emails. If you rely on people to manually identify every sensitive column, you end up with an incomplete picture that goes stale whenever a new table is added. Snowflake's approach: label what you know with tags, and let Snowflake find what you don't with data classification.

3. What is an Object Tag?

An object tag is a metadata label attached to a Snowflake object. It doesn't change what the column does or who can query it, it attaches searchable metadata to it. Tags have many uses: sensitivity labeling is one common example, but tags are also used for cost allocation, data ownership, and compliance tracking. Tags are key-value pairs. You might create a tag called sensitivity with values PII, Confidential, and Internal, then apply sensitivity equals PII to Claro's email and credit score columns. Anyone with access to account metadata can now find every PII column without inspecting tables individually.

4. Creating and Applying a Tag

Tags are schema-level objects,they live inside a schema just like a table or view, so they inherit the schema's access control. First, create the tag with defined allowed values: this prevents free-text tags that become inconsistent over time. Then apply it to Claro's email column using ALTER TABLE MODIFY COLUMN SET TAG. TAG_REFERENCES lets you query which objects have been tagged and with what values. That query gives the compliance team a view across the account of everything labelled as PII.

5. Tag Inheritance

Tags support inheritance. Apply a tag at the schema level and every table and column within that schema automatically inherits it — useful for bulk labelling rather than tagging hundreds of individual columns. Tags applied at a lower level override inherited ones, so you can still be specific where needed.

6. What is Data Classification?

Object tags are applied manually — they rely on someone knowing a column is sensitive. Data classification is Snowflake's answer to what you don't know. It scans your tables automatically, examining column names, data types, and sample values, then identifies columns that likely contain sensitive data and maps them to standard PII categories: name, email, phone, passport numbers. For Claro, this is how the compliance team finds sensitive columns in tables built before any governance process existed.

7. How to Implement Classification

Classification results are surfaced in Snowsight. You can run classification directly on a table from the catalog, or access it through the Trust Center under the Data Security section. Either way, you can see which columns Snowflake identified as sensitive and what category each maps to. Classification gives you a starting point. Tags let you refine and extend it.

8. Privacy Policies

Tags label sensitive data. Classification finds it. Privacy policies complete the picture by connecting classification to protection. A privacy policy links a classification category — like email — to a masking policy. When Snowflake classifies a column as email, the masking policy gets applied automatically. At Claro, any new table with an email column gets masked for non-privileged roles without the compliance team having to manually wire up a policy each time.

9. Let's practice!

Time to put tagging and classification into practice. Let's go.

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.