Have Lumen IT help you on this journey. It is not one that organisations should attempt alone.
Classification of structured data is a relatively straightforward process. Because structured data is stored in database or other fixed format contexts, rules can be applied that match typical formats of items such as PII and PCI: Credit Cards, Email addresses, Street Addresses, DOB, Drivers' Licenses, Passport numbers, and so on.
The classification process then allows the application of a sensitivity classification to be applied, which can then be enforced.
However, the true challenge comes when attempting to classify unstructured data. It is often buried in formats that aren't so kind to simple pattern matching algorithms as seens for structured data. Not only is the structured content in unstrutctured documents sometimes irregular, imagine attempting to decide whether a 100-page report is:
Public Access
Internal Use Only
Confidential
Confidential Restricted

The solution is to take the classification task out of users hands. Our recommendation is to apply Artificial Intelligence algorithms to your unstructured content, be that in O365 repositories (OneDrive, SharePoint, Teams) or in traditional file servers (on premise on in the cloud).
The AI works to generate an accuracy of 70-80% out of the box. 2 or 3 client subject matter experts per business domain then train the model, which improves accuracy typically to over 90%.
Once accurately classified, all data can then be protected from loss across the variety of exfiltration methods.
In the world of data exfiltration, there are three common exit points, The following section discusses each. The challenge is that not one single control system can cover all. They all need bespoke technology - however what is most important is to unify the potential breaches across all.

Emailing sensitive content to an external mailbox, presents a range of possibilities for exfiltration. Consider these use cases:
Sending internal material to a client or supplier. Worse, sending content to a prospective new employer or competitor
Accidentally including the wrong recipients on the To: or CC: fields of an email.

Copying files to USB-attached devices such as memory sticks or mobile phones provides an easy exit point for data to leave your organisation.
At an advanced level, employees departing organisations present a heightened risk and more advanced controls such as idenitfying use of hacking tools, and undertaking session recording can be a way of monitoring leavers.
Cloud DLP

Uploading files and documents to cloud-based applications such as DropBox or any of the O365 applications is a normal business practice.
However preventing the movement of the wrong files (the sensitive ones) is the key to a solid DLP implementation.
If any of this resonates with you, please reach out to us to discuss your requirements for managing your information classification and data loss programs.