Notification

Duet AI is now Gemini for Google Workspace. Learn more

Apply classification labels to new files automatically

Supported editions for this feature: Business Standard and Business Plus; Enterprise Starter, Enterprise Standard, and Enterprise Plus; Education Standard and Education Plus; Essentials, Enterprise Essentials, and Enterprise Essentials PlusCompare your edition

Drive DLP and Chat DLP are available to Cloud Identity Premium users who also have a Google Workspace license. For Drive DLP, the license must include the Drive log events.

As an administrator, you can create policies that automatically apply labels to Drive files to support your organization's data security needs. These labels are applied when a file is created or the owner of the file changes. You set Data classification policies by organizational unit or group, so you can specify different labels for different sets of users or shared drives.

Data classification labels can be applied to any Google Drive file and use Drive labels with options list field types.

Before you begin

Expand all  |  Collapse all

Understand and create Drive labels

Before you can use Drive labels with new files, you must:

Understand data classification settings and file Drive ownership

Data classification settings allow you to apply classification labels to new Drive files, based on the file ownership (either of an individual or a shared drive) within an organizational unit or group. Users and shared drives can belong to different organizational units, so they can have different automated classification policies.

When a file’s ownership changes, the automatic classification settings are applied based on the new owner, but any existing labels aren't changed. For example, if a user moves a file from My Drive to a shared drive, the shared drive's labels are applied. Conversely, if a user moves a file from a shared drive to My Drive, the user's organizational unit or group labels are applied.

Understand the difference between default data classification and AI classification (beta)

While default data classification (described in this article) applies labels based on the user's organizational unit or group, AI classification requires you to train a model to recognize sensitive content in your organization. Once the model is trained, AI classification automatically analyzes new and existing files and applies labels according to file content. Learn more about AI classification.

Why use data classification settings to automatically apply labels to new Drive files rather than DLP rules?

Data classification settings let you directly apply labels to new files created by a segment of users (such as the Legal organizational unit). To protect specific sensitive content (such as a passport number), use DLP rules instead. To apply labels to new files only when they are owned by specific users or shared drives, use Data classification.

It might help to think of:

  • Automated data classification settings as default labels—These are labels that act as a safety net for all documents created by certain users, like Legal. It provides blanket coverage and is not precise. This is useful if you want to protect an entire team in the same way, such as applying the label Legal to all files created by the legal team.
  • DLP (data loss prevention) rules as a targeted, precise method to add labels and field values—These labels are added in direct response to sensitive data, such as a passport number. The precision can result in false positives and less than total coverage of your organization’s Drive documents.
Encouraging users to fill out labels using automated data classification settings and required fields

You might want users to always fill out the value of a certain label field. For example, to assign a File Sensitivity level to all files, such as Top Secret, Internal, Public, or Personal.

You can accomplish this by creating a File Sensitivity label with a required field called Classification that has the four options. The automated classification policy applies the File Sensitivity label to new files, and highlights the required field to remind users to provide the label value.

If needed, you can set a default value for a selection field and then users can change the value if the default isn't correct.

Ensure users have permission to use the label if they need to be able to change field values

If you want users to be able to edit field values for or remove the labels applied through a data classification policy, you must grant them permission from the label manager. For details, see Set who can view or use a label.

In some cases, you might want to apply labels that users can’t view or edit. Data classification labels are applied to new files whatever the user's permissions on a label are.

What is the interaction between Data classification settings, DLP rules, and users?

Data classification settings and DLP rules

Labels can be applied to a file by both Data classification and DLP rules. Labels applied with DLP rules always take priority over labels applied with Data classification.

Data classification settings and users

Labels are applied automatically when a user creates a file, transfers ownership to another user, or moves a file into a shared drive. The Data classification policy applies a label and can apply default values for selection fields. We recommend that you use the required field setting in the label manager to encourage users to apply fields. User permissions on the label don't impact the ability to apply a label through data classification. Data classification can be used to apply labels that users cannot modify or remove (or even see).

Understand label locking

Labels that are associated with Data classification settings are locked in the label manager. This prevents edits to labels that could break business policies. Unlock the label by removing it from all Data classification settings. Disabling or deleting labels that are used in Data classification settings are not allowed. Also, you can’t create Data classification settings with disabled labels.

Apply labels to new files by owner's organizational unit or group

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenData classification.
  3. If there are no labels listed in the label manager:
    1. Click Create labels.
    2. Create new labels
    3. Return to these instructions.
  4. If needed, click Turn on labels to activate labels in the label manager.
  5. Under Default classification, next to Drive and Docs, click Manage.
  6. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group. For example, if you select the group Finance, the labels you configure apply to files created by users in Finance.

    Note: If a user is a member of both organizational units and groups with data classification policies, the group-based labels are applied, up to the 20-label limit.

  7. Click Select labelsand thenAdd Label.
  8. Select the labels you want to use. Note: You can’t create Data classification policies with disabled labels, unpublished changes to labels, or labels that don't have a field with an options list.
  9. (Optional) Set a default value for an options-list field. Select the value from the options and click Save. For multi-select fields, you can select more than one default option.

    Note: Default field values set for a user’s group take precedence over default field values set for the user’s organizational unit. If the user belongs to more than one group, default field values are applied in order of group priority.

  10. Click Continue. Review the selected labels.
  11. Click Save. The Apply labels page lists the labels applied under Configuration.

Data classification known issues

Reseller support

Resellers can manage Data classification rules that depend on labels but cannot manage labels in the label manager. Full support for Data classification for resellers managing resold domains is planned for a future update. This is similar to the limited support offered though the Drive label manager. Go to Manage Drive labels for details.

Was this helpful?

How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
1137593890739420340
true
Search Help Center
true
true
true
true
true
73010