Re: 1, absolutely, but we in IT must handle the actual details of marking data as classified and dealing with it on a pragmatic basis (masking, encrypting, moving, isolating, etc.). Once someone makes decisions, we have to manage this data somehow, which implies some process. My thoughts are that we tend to do this very, very rarely.

2. Often not. I am a fan of ensuring we capture all the data we need, even if we're unsure, but I also think that needs to be balanced in the privacy sense of not capturing secure information unless there is a need.