Object Tagging, Data Classification, and Privacy Policies

Snowflake Management, Governance & Collaboration

Emily Melhuish

Technical Curriculum Developer, Snowflake

The Scale Problem

Claro has hundreds of tables - some operational, some containing PII
Manual identification of sensitive columns is incomplete and goes stale
Label what you know with tags
Let Snowflake find what you don't with data classification

Illustration showing all tables with some labelled sensitive

What is an Object Tag?

A metadata label attached to a Snowflake object
Doesn't change what the column does or who can query it
A tag attaches searchable metadata
Tags are key-value pairs with defined allowed values
- e.g. sensitivity, PII, Confidential, ..
Makes column sensitivity visible and searchable across the account

Schema objects

Snowflake schema objects.png

Creating and Applying a Tag

CREATE TAG sensitivity
  ALLOWED_VALUES 'PII', 'Confidential', 'Internal';

ALTER TABLE core.users
  MODIFY COLUMN email
  SET TAG sensitivity = 'PII';

SELECT * FROM TABLE(
  INFORMATION_SCHEMA.TAG_REFERENCES('core.users', 'TABLE'));

¹ https://docs.snowflake.com/en/user-guide/object-tagging/introduction

Tag Inheritance

Tags applied at the schema level are inherited by all tables and columns within it
Useful for bulk labelling instead of tagging hundreds of individual columns
Tags at a lower level override inherited ones for specificity

Hierarchy diagram showing a schema-level sensitivity tag flowing down to all tables and columns within it, with one column overriding the inherited tag with a more specific value

What is Data Classification?

Object tagging

Applied manually
Object tags rely on someone knowing a column is sensitive

Data classification

Classification scans tables automatically - examining names, types, and values
Maps columns to standard PII categories: name, email, phone, passport
Finds sensitive columns in tables built before any governance process existed

How to Implement Classification

Screenshot of Snowsight data classification

¹ https://docs.snowflake.com/en/user-guide/classify-ui-trust-center

Privacy Policies

Finding sensitive data

Object tags label data
Data classification finds it

Protecting sensitive data

Privacy policies connect classification to protection automatically
Links a classification category to a masking policy
New tables with classified columns get masked without manual wiring

Let's practice!

Snowflake Management, Governance & Collaboration