Supported editions for this feature: Frontline Standard; Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; Enterprise Essentials Plus. Compare your edition
Drive DLP and Chat DLP are available to Cloud Identity Premium users who also have a Google Workspace license. For Drive DLP, the license must include the Drive log events.
As an administrator, you can create policies that automatically apply labels to Drive files to support your organization's data security needs. These labels are applied when a file is created or the owner of the file changes. You set Data classification policies by organizational unit or group, so you can specify different labels for different sets of users or shared drives.
Data classification labels can be applied to any Google Drive file and use Drive labels with options list field types.
Before you begin
Before you can use Drive labels with new files, you must:
- Understand the purpose and functionality of Drive labels. For details, go to Get started as a Drive labels admin.
- Create a label with a field that takes an options list value, or know of existing labels you want to use.
Data classification settings allow you to apply classification labels to new Drive files, based on the file ownership (either of an individual or a shared drive) within an organizational unit or group. Users and shared drives can belong to different organizational units, so they can have different automated classification policies.
When a file’s ownership changes, the automatic classification settings are applied based on the new owner, but any existing labels aren't changed. For example, if a user moves a file from My Drive to a shared drive, the shared drive's labels are applied. Conversely, if a user moves a file from a shared drive to My Drive, the user's organizational unit or group labels are applied.
Data classification settings let you directly apply labels to new files created by a segment of users (such as the Legal organizational unit). To protect specific sensitive content (such as a passport number), use DLP rules instead. To apply labels to new files only when they are owned by specific users or shared drives, use Data classification.
It might help to think of:
- Automated data classification settings as default labels—These are labels that act as a safety net for all documents created by certain users, like Legal. It provides blanket coverage and is not precise. This is useful if you want to protect an entire team in the same way, such as applying the label Legal to all files created by the legal team.
- DLP (data loss prevention) rules as a targeted, precise method to add labels and field values—These labels are added in direct response to sensitive data, such as a passport number. The precision can result in false positives and less than total coverage of your organization’s Drive documents.
You might want users to always fill out the value of a certain label field. For example, to assign a File Sensitivity level to all files, such as Top Secret, Internal, Public, or Personal.
You can accomplish this by creating a File Sensitivity label with a required field called Classification that has the four options. The automated classification policy applies the File Sensitivity label to new files, and highlights the required field to remind users to provide the label value.
If needed, you can set a default value for a selection field and then users can change the value if the default isn't correct.
If you want users to be able to edit field values for or remove the labels applied through a data classification policy, you must grant them permission from the label manager. For details, see Set who can view or use a label.
In some cases, you might want to apply labels that users can’t view or edit. Data classification labels are applied to new files whatever the user's permissions on a label are.
Data classification settings and DLP rules
Labels can be applied to a file by both Data classification and DLP rules. Labels applied with DLP rules always take priority over labels applied with Data classification.
Data classification settings and users
Labels are applied automatically when a user creates a file, transfers ownership to another user, or moves a file into a shared drive. The Data classification policy applies a label and can apply default values for selection fields. We recommend that you use the required field setting in the label manager to encourage users to apply fields. User permissions on the label don't impact the ability to apply a label through data classification. Data classification can be used to apply labels that users cannot modify or remove (or even see).
Labels that are associated with Data classification settings are locked in the label manager. This prevents edits to labels that could break business policies. Unlock the label by removing it from all Data classification settings. Disabling or deleting labels that are used in Data classification settings are not allowed. Also, you can’t create Data classification settings with disabled labels.
Apply labels to new files by owner's organizational unit or group
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu SecurityAccess and data controlData classification.
- If there are no labels listed in the label manager:
- Click Create labels.
- Create new labels.
- Return to these instructions.
- If needed, click Turn on labels to activate labels in the label manager.
- Under Default classification, next to Drive and Docs, click Manage.
- To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group. For example, if you select the group Finance, the labels you configure apply to files created by users in Finance.
Note: If a user is a member of both organizational units and groups with data classification policies, the group-based labels are applied, up to the 20-label limit.
- Click Select labelsAdd Label.
- Select the labels you want to use. Note: You can’t create Data classification policies with disabled labels, unpublished changes to labels, or labels that don't have a field with an options list.
- (Optional) Set a default value for an options-list field. Select the value from the options and click Save. For multi-select fields, you can select more than one default option.
Note: Default field values set for a user’s group take precedence over default field values set for the user’s organizational unit. If the user belongs to more than one group, default field values are applied in order of group priority.
- Click Continue. Review the selected labels.
- Click Save. The Apply labels page lists the labels applied under Configuration.
Data classification known issues
Resellers can manage Data classification rules that depend on labels but cannot manage labels in the label manager. Full support for Data classification for resellers managing resold domains is planned for a future update. This is similar to the limited support offered though the Drive label manager. Go to Manage Drive labels for details.