As an Admin, you can create policies to apply labels to Drive files to support company data security needs. These labels are applied through automated Data classification settings based on organizational structure.
These features work for all Google Drive files, and use Drive labels and fields (sometimes known as metadata).
Before you begin
Data classification settings allow you to apply classification labels to new Drive files, based on the file ownership (either of an individual or a shared drive) within an organizational unit or group. Note that users can belong to different organizational units, which means users and shared drives can already have different automated classification policies.
Note that when a file’s ownership changes, the automatic classification settings are applied to the new owner. For example, if I move a file from My Drive into my team's shared Drive the shared Drive's labels are applied. Conversely, if I move a file out of my team's shared Drive, my labels are applied.
Using data classification settings is a direct way to apply labels to new files created by a segment of users (such as the Legal organizational unit, for example). If you need to protect specific sensitive content (such as a Social Security Number), DLP rules are recommended. If you only want to apply labels to new files when they are owned by specific users or shared drives, use Data classification.
It might help to think of:
- Automated data classification settings as default labels: These are labels that act as a safety net for all documents created by certain users, like Legal. It provides blanket coverage, and is not precise. This is useful if you want to protect an entire team in the same way, such as applying the label Legal to all files created by the legal team.
- DLP rules as a targeted, precise method to add labels and field values: These labels are added in direct response to sensitive data, such as a passport number. The precision can result in false positives and less than total coverage of your organization’s Drive documents.
A common customer request is the ability to encourage users to always fill out the value of a certain label field. For example, asking everyone at the company to assign a File Sensitivity level to all files, such as Top Secret, Internal, Public, or Personal.
You can accomplish this by creating a File Sensitivity label with a field called Classification that has these four options, applying this label for all employees at the company through the Admin console, and then marking that field as required in the label manager. The automated classification setting will apply the blank File Sensitivity label to all files at the company, and then the required field checkbox displays to remind end users to provide the label value.
You must grant users from the label manager for them to be able to see the labels that are available to apply, or to edit the label fields. Also, fields must be marked as required in the label manager to encourage users to provide field values. When required fields are present, the users see a message requiring them to enter a field value. Go to Manage label permissions for details.
Note that a label is applied to newly created files irrespective of the creating user's permissions on that label.
Verify that the users you select in organizational units and groups are the same users you grant label manager permissions to. This will ensure that users who need to view labels and edit label fields can do so.
Data classification settings and DLP rules
Default labels you add to files using data classification settings can add labels to files; DLP rules can add labels and field values. In general, there is no conflict between Data classification and DLP rules. The set of applied labels on a file are the combination from both systems and any applied by the user.
Data classification settings and users
Labels are applied automatically whenever a user creates a new file. The Data classification setting applies a label only (not a field value). We also recommend that you use the required field setting to encourage users to apply fields. Data classification can be used to apply labels that users cannot modify or remove (or even see). Also, user permissions on the label don't impact the ability to apply a label through data classification settings.
- Go to Security > Data classification. If there are no labels created in the label manager, click Create labels, and create new labels and return to these instructions. Also, you might have to click Turn on labels to activate labels in the label manager.
Note: You can’t create Data classification settings with disabled labels.
- Under Apply labels, click Drive and Docs.
- Search for and select the organizational unit or group to include those user members to automatically apply labels for. For example, if you select the group, Finance, you can then select the labels to be configured for Finance.
- Click Select labels.
- Select the labels you want to use. These labels are applied to files when a user creates a new file in Drive. These labels can have fields associated with them that users can modify. Ensure that the users in the selected organizational unit or group have permission to use the labels in the label manager so they can see the labels and modify the label fields.
- Click Continue. Review the selected labels.
- Click Save. The Apply labels page lists the labels applied under Configuration.
Data classification known issues
Resellers can manage DLP rules that depend on labels but cannot manage labels in the label manager. Full support for DLP Data classification for resellers managing resold domains is planned for a future update. This is similar to the limited support offered though the Drive label manager. Go to Manage Drive labels for details.