Supported editions for this feature: Enterprise Standard and Enterprise Plus; Education Plus. Compare your edition
To prevent inadvertently sharing sensitive information, you can create data classification labels for users to add to their email, such as Confidential or Secret.
The use of data classification labels supports and increases awareness of your company's data handling policies.
Note: This article is for trusted testers who are participating in the beta program for this feature. Google is no longer accepting trusted testers for this program.
Prerequisites for using shared Drive labels as data classifications
The Gmail data classification and Drive classifications both use Drive labels. Before you can use Drive labels, you must:
- Understand the purpose and functionality of Drive labels. Go to Manage Drive metadata (beta) for details. If you begin to use data classification, and there are no labels configured, click Create Labels. This takes you to the Google Drive labels editor, where you can create and publish labels.
- Gmail data classification can be turned on for organizational units and groups, so it is helpful to understand the functions of organizational units and groups. For details on organizational units, and the relationship of organizational units to groups, go to Apply policies to different users. This topic links to articles that clarify policy setting inheritance among organizational units and groups, and describes the precedence of groups over organizational units.
Gmail data classification end user experience
When Gmail data classification is implemented for an organization, users in that organization have the icon in the Gmail sidebar on the right. Users click the icon to expand the Gmail data classification add-on and read about the feature.
The icon also appears when the user starts an email message. Users click the icon at the bottom of the email they are drafting to add classifications to the email message or its attachments.
Note that the icon only displays for end users only if data classification labels are defined for their organization or group.
Classified emails have a tag in square brackets, such as [Classified], which appears at the beginning of the subject for the email. An example of a email subject:
[Classified] Sales contract update
Any classifications the user applies to the email are listed at the top of the email message.
Gmail users may notice that some classifications are required. Classifications are required when the labels created in the Google Drive labels editor are designated as Required when they’re created. In this case, when the user tries to send a message, the Gmail Data Classification add-on will open in a pop-up, and require the user to add a classification to their email.
Go to the end user content for details.Apply data classification labels
These are general steps to apply data classification labels. More specific examples follow.
You can select, edit and remove the data classification labels that apply to your organization. These steps assume you have previously created and published labels in the Google Drive Labels Editor.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- From the Admin console Homepage, go to Security Access and data control Data classification.
- Under Apps, click Gmail. Click anywhere in the row.
- Optionally, on the left, search for and choose an organizational unit or group to use the selected data classifications. If you do not select specific organizational units, the label selections you make apply to the entire organization.
Keep in mind that settings for a specific organizational unit are inherited from the parent organizational unit, unless you choose to override the parent’s settings. Also, group settings take precedence over organizational unit settings. Go to How the organizational structure works for details.
Selecting labels to add for an organization or group affects every person in those entities. You cannot add labels for a single user, or any selection of individual users.
- Click Select Labels. Choose from available labels by selecting the checkbox for each. You'll see Create Labels if labels don't exist. Point to the label name for details. Also, you can click a link to exit to the Label Manager.
- Optionally, click Apply defaults to apply default field values. Select the default field values and click Save.
- Click Add Labels. Click Override to update organizational unit status. Now, there’s a icon next to the name of the organizational unit that has the data classifications applied to it. The icon tells you that your settings override settings for the parent organizational unit. You can also add labels at the group level.
Changes can take up to 24 hours but typically happen more quickly. Learn more
Gmail users who have labels assigned to their organizational unit or group get the Gmail Classification add-on automatically, and have the icon in the sidebar, and at the bottom of the email they are drafting.
The Gmail Classification add-on persists for the users as long as the data classification labels exist for the organizational unit or group. If you remove the labels, the Add-on is removed for the users.
Also, you cannot turn the add-on off or on for one user. In general, either all users in the organizational unit or group have the Gmail Classification add-on, or none of them have it. Exceptions can occur when a user is a member of multiple groups; the user could have Gmail Classification add-on access through each group.
Link to policies and add an email prefix
Add a link to your company's data classification policies and a subject prefix. You can do this after you initially configure labels.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- From the Admin console Homepage, go to SecurityAccess and data control Data classification.
- Under Create custom content, click anywhere in the row.
- Under Learn more link, add a link to your organization’s data classification policies.
Under Subject prefix, add a prefix to the subject line of the user's email. This prefix appears at the start of the email subject in brackets. The default prefix is “Classified”.
You can delete the default prefix of “Classified”, and leave the field blank. In this case, there’s no prefix added to the subject.
-
Click Save.
Gmail data classification examples
The examples shown in this article assume you have already created data classification labels. The names shown in these examples are probably similar to names in your environment, but are not data native to the Gmail data classification application.
These examples assume an organizational unit structure of:
- Acme Branding - The parent organizational unit, with these child organizational units:
- Geo
- IT
The security labels are:
- Acme Core
- Export Control
- Security Categories
Example: Create Custom content
Link to your company's data security policies and add an email subject prefix-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- From the Admin console Homepage, go to SecurityAccess and data control Data classification.
- Under Create custom content, click anywhere in the row.
- Under Learn more link, add a link to your organization’s data classification policies. For example, https://acmebranding-datapolicy.com.
- Under Subject prefix, add a prefix to the subject line of the user's email. This prefix appears at the start of the email subject in brackets.
For example, a prefix of “Classified” results in a subject line like this:
[Classified] Data policy changes in our organization
The square brackets are added automatically.
Classified is the default prefix; you can delete it and have no prefix in your email subject.
-
Click Save.
Example: Select labels and add default values
Select data classification labels and add default field values-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- From the Admin console Homepage, go to SecurityAccess and data control Data classification.
- Under Apps, click Gmail. You can click anywhere in the row.
- Choose the parent organizational unit Acme Branding. Selecting labels to add for an organization or group affects every person in those entities. You cannot add labels for a single user, or a few users.
- Click Select Labels.
- Select Acme Core.
- Click Apply defaults. Select the field values:
- Confidentiality level - Internal
- Retention - 7 years
- Export control - EAR, ITAR
- Click Save.
- Click Add Labels. Click Override to update the organizational unit status.
This is a summary of the data classification labels created in this example:
Example: Add more labels
Configure additional labels to organizational units-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- From the Admin console Homepage, go to SecurityAccess and data control Data classification.
- Under Apps, click Gmail. You can click anywhere in the row.
- Under the parent organizational unit, Acme Branding, choose the child organizational unit, Geo.
- Click Edit Label Selections.
- Select the Export Control label. Do not assign default values.
- Click Add Labels. Click Override to update the organizational unit status. Geo on the left indicates that the Geo organizational unit has data classifications applied to it that override settings for the parent organizational unit.
This is a summary of the data classification labels created in this part of the example:
- Click Save.
- Choose another organizational unit, IT.
- Click Select Labels.
- Select all labels. In this example, that means that Acme Core, Export Control, and Security Categories.
- For Acme Core, assign the default value of Internal.
- Click Save.
- Click Add Labels. Click Override to update the organizational unit status. IT on the left indicates that the IT organizational unit has data classifications applied to it that override settings for the parent organizational unit.
This is a summary of the data classification labels created in this part of the example:
Example: Modify labels
Edit a label selection-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- From the Admin console Homepage, go to SecurityAccess and data control Data classification.
- Under Apps, click Gmail. You can click anywhere in the row.
- Under the parent organizational unit, Acme Branding, choose the child organizational unit, Geo.
- Click Edit Label Selections. Modify the label selections.
- Click Save Changes. You receive a verification message.
Example: Remove labels
Remove a label selection-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- From the Admin console Homepage, go to SecurityAccess and data controlData classification.
- Under Apps, click Gmail. You can click anywhere in the row.
- Under the parent organizational unit, Acme Branding, choose the child organizational unit, Geo.
- Click Edit Label Selections.
- Deselect the checkboxes for the labels you want to remove.
- Click Save Changes. You receive a verification message.
- Click Remove Labels.
- Click Inherit to update the organizational unit status.
Verify label selection settings
You can search for users, groups, or organizational units to view label selection settings. This can help you troubleshoot behavior in Gmail that is affecting individual users. Remember that any Gmail data classification settings you create or change affect entire groups or organizational units. Settings cannot be added or changed for individual users.
View Gmail data classification logs
Use the security investigation tool to view Gmail data classification events, to understand these events and troubleshoot issues. The security investigation tool uses predefined filters to list Gmail data classification log events.
The log events listed for Gmail classification are:
- Email classification changed
- Attachment classification changed
- Email classification applied
- Attachment classification applied
- Email classification removed
- Attachment classification removed
- Previous classification
- New classification
- Log into the Admin console.
- From the Admin console Homepage, go to Security > Access and data control > Data classification.
- Under Classified items, click View logs. You’ll see Gmail log events specific to data classification in the security investigation tool. Go to About the security investigation tool for details.
Gmail data classification known issues
Reseller admins can't access their customer's Drive labels.When a reseller’s customers implement Gmail data classification using Drive DLP labels, reseller admins can’t access these customer Drive labels. From the reseller admin’s point of view, there are no labels defined and no labels are configured under SecurityAccess and data control Data classification, even if the customer admin has defined and configured labels for some of their organizational units or groups.
Required fields must be implemented in labels in order for the email chain to inherit the classifications as the email progresses.
Gmail data classification is not currently supported on mobile devices.
Audit log events for changes to data classification setting are not clearly readable.