A company classifies its data into four sensitivity levels: Public, Internal, Confidential, and Restricted. Which type of data would typically be classified as 'Restricted' and require the highest level of security controls?
SSNs (PII), payment cards (PCI DSS), and health records (HIPAA PHI) are Restricted data — subject to strict regulations, requiring maximum security controls and access restrictions.
Why this answer
Option B is correct because Restricted data, under Google Cloud's data classification framework, includes personally identifiable information (PII) such as Social Security Numbers, payment card numbers (PCI DSS), and protected health information (PHI). These require the highest security controls, including encryption at rest and in transit, strict IAM policies, and Data Loss Prevention (DLP) API scanning to prevent unauthorized access or leakage.
Exam trap
Google Cloud often tests the distinction between Confidential and Restricted data, where candidates mistakenly assume that any sensitive business document (like a product roadmap) qualifies as Restricted, but Restricted is reserved for data with legal or regulatory compliance requirements (e.g., PII, PHI, PCI).
How to eliminate wrong answers
Option A is wrong because public press releases and marketing materials are classified as Public data, which requires no access controls and is intended for unrestricted distribution. Option C is wrong because internal meeting notes and project status reports are typically classified as Internal data, which may require basic access controls but not the highest security level. Option D is wrong because product roadmap documents shared only with the product team are typically Confidential data, which requires access restrictions but not the stringent controls (e.g., encryption, DLP, audit logging) mandated for Restricted data.