Notification

Duet AI is now Gemini for Google Workspace. Learn more

Beta: Enable users to classify email and attachments

Use shared labels as data classifications for Gmail.

Supported editions for this feature: Enterprise Standard and Enterprise Plus; Education Plus.  Compare your edition

To prevent inadvertently sharing sensitive information, you can create data classification labels for users to add to their email, such as Confidential or Secret.

The use of data classification labels supports and increases awareness of your company's data handling policies.

Note: This article is for trusted testers who are participating in the beta program for this feature. Google is no longer accepting trusted testers for this program.

Prerequisites for using shared Drive labels as data classifications

The Gmail data classification and Drive classifications both use Drive labels. Before you can use Drive labels, you must:

  • Understand the purpose and functionality of Drive labels. Go to Manage Drive metadata (beta) for details. If you begin to use data classification, and there are no labels configured, click Create Labels. This takes you to the Google Drive labels editor, where you can create and publish labels.
  • Gmail data classification can be turned on for organizational units and groups, so it is helpful to understand the functions of organizational units and groups. For details on organizational units, and the relationship of organizational units to groups, go to Apply policies to different users. This topic links to articles that clarify policy setting inheritance among organizational units and groups, and describes the precedence of groups over organizational units.

Gmail data classification end user experience

When Gmail data classification is implemented for an organization, users in that organization have the icon in the Gmail sidebar on the right. Users click the icon to expand the Gmail data classification add-on and read about the feature.

The icon also appears when the user starts an email message. Users click the icon at the bottom of the email they are drafting to add classifications to the email message or its attachments.

Note that the icon only displays for end users only if data classification labels are defined for their organization or group.

Classified emails have a tag in square brackets, such as [Classified], which appears at the beginning of the subject for the email. An example of a email subject:

[Classified] Sales contract update

Any classifications the user applies to the email are listed at the top of the email message.

Gmail users may notice that some classifications are required. Classifications are required when the labels created in the Google Drive labels editor are designated as Required when they’re created. In this case, when the user tries to send a message, the Gmail Data Classification add-on will open in a pop-up, and require the user to add a classification to their email.

Go to the end user content for details.

Apply data classification labels

These are general steps to apply data classification labels. More specific examples follow.

You can select, edit and remove the data classification labels that apply to your organization. These steps assume you have previously created and published labels in the Google Drive Labels Editor.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Homepage, go to Security and then Access and data control and then Data classification.
  3. Under Apps, click Gmail. Click anywhere in the row.
  4. Optionally, on the left, search for and choose an organizational unit or group to use the selected data classifications. If you do not select specific organizational units, the label selections you make apply to the entire organization.

    Keep in mind that settings for a specific organizational unit are inherited from the parent organizational unit, unless you choose to override the parent’s settings. Also, group settings take precedence over organizational unit settings. Go to How the organizational structure works for details.

    Selecting labels to add for an organization or group affects every person in those entities. You cannot add labels for a single user, or any selection of individual users.

  5. Click Select Labels. Choose from available labels by selecting the checkbox for each. You'll see Create Labels if labels don't exist. Point to the label name for details. Also, you can click a link to exit to the Label Manager.
  6. Optionally, click Apply defaults to apply default field values. Select the default field values and click Save.
  7. Click Add Labels. Click Override to update organizational unit status. Now, there’s a icon next to the name of the organizational unit that has the data classifications applied to it. The icon tells you that your settings override settings for the parent organizational unit. You can also add labels at the group level.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Gmail users who have labels assigned to their organizational unit or group get the Gmail Classification add-on automatically, and have the icon in the sidebar, and at the bottom of the email they are drafting.

The Gmail Classification add-on persists for the users as long as the data classification labels exist for the organizational unit or group. If you remove the labels, the Add-on is removed for the users.

Also, you cannot turn the add-on off or on for one user. In general, either all users in the organizational unit or group have the Gmail Classification add-on, or none of them have it. Exceptions can occur when a user is a member of multiple groups; the user could have Gmail Classification add-on access through each group.

Link to policies and add an email prefix

Add a link to your company's data classification policies and a subject prefix. You can do this after you initially configure labels.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Homepage, go to Securityand thenAccess and data control  and then Data classification.
  3. Under Create custom content, click anywhere in the row.
  4. Under Learn more link, add a link to your organization’s data classification policies.

    Under Subject prefix, add a prefix to the subject line of the user's email. This prefix appears at the start of the email subject in brackets. The default prefix is “Classified”.

    You can delete the default prefix of “Classified”, and leave the field blank. In this case, there’s no prefix added to the subject.

  5. Click Save.

Gmail data classification examples

The examples shown in this article assume you have already created data classification labels. The names shown in these examples are probably similar to names in your environment, but are not data native to the Gmail data classification application.

These examples assume an organizational unit structure of:

  • Acme Branding - The parent organizational unit, with these child organizational units:
  • Geo
  • IT

The security labels are:

  • Acme Core
  • Export Control
  • Security Categories

Example: Create Custom content

Link to your company's data security policies and add an email subject prefix
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Homepage, go to Securityand thenAccess and data control  and then Data classification.
  3. Under Create custom content, click anywhere in the row.
  4. Under Learn more link, add a link to your organization’s data classification policies. For example, https://acmebranding-datapolicy.com.
  5. Under Subject prefix, add a prefix to the subject line of the user's email. This prefix appears at the start of the email subject in brackets.

    For example, a prefix of “Classified” results in a subject line like this:

    [Classified] Data policy changes in our organization

    The square brackets are added automatically.

    Classified is the default prefix; you can delete it and have no prefix in your email subject.

  6. Click Save.

Example: Select labels and add default values

Select data classification labels and add default field values
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Homepage, go to Securityand thenAccess and data control  and then Data classification.
  3. Under Apps, click Gmail. You can click anywhere in the row.
  4. Choose the parent organizational unit Acme Branding. Selecting labels to add for an organization or group affects every person in those entities. You cannot add labels for a single user, or a few users.
  5. Click Select Labels.
  6. Select Acme Core.
  7. Click Apply defaults. Select the field values:
    • Confidentiality level - Internal
    • Retention - 7 years
    • Export control - EAR, ITAR
  8. Click Save.
  9. Click Add Labels. Click Override to update the organizational unit status.

This is a summary of the data classification labels created in this example:

"Result of data classification for the Acme Branding organizational unit. "

Example: Add more labels

Configure additional labels to organizational units
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Homepage, go to Securityand thenAccess and data control  and then Data classification.
  3. Under Apps, click Gmail. You can click anywhere in the row.
  4. Under the parent organizational unit, Acme Branding, choose the child organizational unit, Geo.
  5. Click Edit Label Selections.
  6. Select the Export Control label. Do not assign default values.
  7. Click Add Labels. Click Override to update the organizational unit status.   Geo on the left indicates that the Geo organizational unit has data classifications applied to it that override settings for the parent organizational unit.

    This is a summary of the data classification labels created in this part of the example:

    " Result of data classification for the Geo organizational unit."

  8. Click Save.
  9. Choose another organizational unit, IT.
  10. Click Select Labels.
  11. Select all labels. In this example, that means that Acme Core, Export Control, and Security Categories.
  12. For Acme Core, assign the default value of Internal.
  13. Click Save.
  14. Click Add Labels. Click Override to update the organizational unit status.   IT on the left indicates that the IT organizational unit has data classifications applied to it that override settings for the parent organizational unit.

    This is a summary of the data classification labels created in this part of the example:

    " Result of data classification for the IT organizational unit."

Example: Modify labels

Edit a label selection
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Homepage, go to Securityand thenAccess and data control  and then Data classification.
  3. Under Apps, click Gmail. You can click anywhere in the row.
  4. Under the parent organizational unit, Acme Branding, choose the child organizational unit, Geo.
  5. Click Edit Label Selections. Modify the label selections.
  6. Click Save Changes. You receive a verification message.

Example: Remove labels

Remove a label selection
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Homepage, go to Securityand thenAccess and data controland thenData classification.
  3. Under Apps, click Gmail. You can click anywhere in the row.
  4. Under the parent organizational unit, Acme Branding, choose the child organizational unit, Geo.
  5. Click Edit Label Selections.
  6. Deselect the checkboxes for the labels you want to remove.
  7. Click Save Changes. You receive a verification message.
  8. Click Remove Labels
  9. Click Inherit to update the organizational unit status.

Verify label selection settings

You can search for users, groups, or organizational units to view label selection settings. This can help you troubleshoot behavior in Gmail that is affecting individual users. Remember that any Gmail data classification settings you create or change affect entire groups or organizational units. Settings cannot be added or changed for individual users.

View Gmail data classification logs

Use the security investigation tool to view Gmail data classification events, to understand these events and troubleshoot issues. The security investigation tool uses predefined filters to list Gmail data classification log events. 

The log events listed for Gmail classification are: 

  • Email classification changed
  • Attachment classification changed
  • Email classification applied
  • Attachment classification applied
  • Email classification removed
  • Attachment classification removed
  The data columns shown for Gmail classification events are:
  • Previous classification
  • New classification
  To view the events:
  1. Log into the Admin console.
  2. From the Admin console Homepage, go to Security > Access and data control > Data classification.
  3. Under Classified items, click View logs. You’ll see Gmail log events specific to data classification in the security investigation tool. Go to About the security investigation tool for details.

Gmail data classification known issues

Reseller admins can't access their customer's Drive labels.

When a reseller’s customers implement Gmail data classification using Drive DLP labels, reseller admins can’t access these customer Drive labels. From the reseller admin’s point of view, there are no labels defined and no labels are configured under Securityand thenAccess and data control  and then Data classification, even if the customer admin has defined and configured labels for some of their organizational units or groups.

Inheriting classification for message threads.

Required fields must be implemented in labels in order for the email chain to inherit the classifications as the email progresses.

Mobile platform not supported.

Gmail data classification is not currently supported on mobile devices.

Audit log event are not readable.

Audit log events for changes to data classification setting are not clearly readable.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Main menu
10210226210068959180
true
Search Help Center
true
true
true
true
true
73010
false
false