Use Workspace DLP to prevent data loss

DLP rules

Using data loss prevention (DLP), you can create and apply rules to control the content that users can share in files outside the organization. DLP gives you control over what users can share, and prevents unintended exposure of sensitive information such as credit card numbers or identity numbers.

DLP rules trigger scans of files for sensitive content, and prevents users from sharing that content. Rules determine the nature of DLP incidents, and incidents trigger actions, such as the blocking of specified content. 

You can allow controlled sharing for members of a domain, organizational unit, or group.

Summary of DLP flow:

• You define DLP rules. These rules define which content is sensitive and should be protected. DLP rules apply to both My Drive and Shared drives.
• DLP scans content for DLP rule violations that trigger DLP incidents.
• DLP enforces the rules you defined and violations trigger actions, such as alerts.
• You are alerted of DLP rule violations.

For details on:

• Drive DLP, go to Create DLP for Drive rules and custom content detectors
• Chat DLP, go to Prevent data leaks from Chat messages and attachments

Use an audit-only rule to test new DLP rules

You can test DLP rules by creating rules that don't have an optional action, such as blocking or warning users. If these rules are triggered, data related to the incident is written to the Rules audit log. Go to Create DLP for Drive rules and custom content detectors, "Step 1. Plan your rules, Use audit-only rules to test rule results" for details.

DLP sample use cases

You can use DLP to:

• Audit the usage of sensitive content in Drive that your users may have already shared to gather information on sensitive files uploaded by users.
• Directly warn end users not to share sensitive content outside of the domain.
• Prevent sharing of sensitive data (such as a Social Security Number) with external users
• Alert administrators or others about policy violations or DLP incidents.
• Investigate details of an incident with information on the policy violation.

Compare legacy DLP and current DLP rule management

You might have used the original version of DLP in the past. This table compares legacy DLP to the current DLP. This table helps you understand current features and behavior.

Legacy DLP	Current DLP
Existing DLP product	DLP product with more features
DLP rules are found in the Admin console under Rules.	DLP rules are found in the Admin console under SecurityData protection.
To set up DLP policies, you have to be a super Administrator.	To set up DLP policies, there are specific administrative privileges for DLP rules and detectors. Managing DLP policies doesn't require permission to manage all Drive settings.
Match count is available only for predefined detectors.	Match count is available in all conditions that use: Regular expressions Word lists Predefined detectors
Two detection thresholds: High Medium	Detection thresholds with more granularity: Very low confidence Low confidence Possible Likely Very likely
Reports are limited to audit logs and Drive-related reports.	Reports include DLP Incident Management dashboards, available under SecurityDashboards. Reports now include the shared recipients of the document.

Current DLP features

The following table describes the DLP features:

DLP Features	Details
Author DLP rules with scope, condition, and actions	Scope  Author policies based on organizational units or groups Organizational unit and group inclusion and exclusion - define policy based on organizational units in the environment. The rule scans files owned by users in the selected organizations or groups. See also DLP for Drive FAQ. Conditions Contents of scanned files or content Rule templates  Reusable content detectors Keyword and word Lists Regular expressions (Regex) Predefined detectors to allow inspection on numerous content types. Go to How to use predefined content detectors for details. Nested conditions. Go to DLP for Drive rule nested condition operator examples for details.  Set detection confidence threshold levels Extended match count Actions Set alert and notification rules Block externally shared links Warn end users Audit Drive file content violations
Incident Management	Sends an alert summary to DLP administrators to enable quick detection of DLP incidents validation of false positives. Go to View alert details for details. You receive a DLP alert in the alert center when a DLP rule is triggered. From the Admin console Home page, go to SecurityAlert center. Go to View alert details for details. Reporting and investigation dashboard for policy violations (DLP incidents and Top Policy Incidents). Go to About the security dashboard for details.
Rule investigation	For rule investigation, use the security investigation tool. Go to About the security investigation tool for details.  You must have the privilege Security CenterInvestigation ToolRuleView Metadata and Attributes to access the investigation tool. Use the Investigation tool to identify, triage, and take action on security and privacy issues in your domain.
Admin privileges	View DLP Rules—Allows delegated administrators to view DLP rules Manage DLP Rules—Allows delegated administrator to create, edit and investigate DLP rules.  Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. For the investigation tool only: Security CenterInvestigation ToolRuleView Metadata and Attributes.

Applications and file types scanned by DLP

Scanned applications

Applications scanned include:

• Sheets
• Docs
• Slides
• Forms File Upload—Files submitted to Forms file upload questions are scanned by DLP. Responders may be warned or blocked from submitting their responses if they attempt to upload sensitive content.

Comments in Docs, Sheets, Slides, and Drawings and comment email notifications are not scanned by DLP. Also, Sites and Forms (other than File Upload) are not supported with DLP.

Scanned file types

File types scanned for content include:

• Document file types: .doc, .docx, .html, .pdf, .ppt., .wpd, .xls, .xlsx, .xml
• Image file types: .bmp, .eps, .fif, .gif, .img_for_ocr, .jpeg, .png, .ps, .tif
• Compressed file types: .bzip, .gzip, .rar, .tar, .zip
• Custom file types: .hwp, .kml, .kmz, .sdc, .sdd, .sdw, .sxc, .sxi, .sxw, .ttf, .wml, .xps

Video and audio file types are not scanned.

Note: The actual scanned files may differ by application.

Administrator requirements

To create and set DLP rules and content detectors, you must be a super administrator or a delegated admin with these privileges:

• View Organizational unit administrator privileges. 
• Groups administrator privileges.
• View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges. 
• View Metadata and Attributes privileges (required for the use of the investigation tool only): Security CenterInvestigation ToolRuleView Metadata and Attributes.

Learn more about administrator privileges and creating custom administrator roles.

What’s next: create rules and content detectors

Create DLP for Drive rules and custom content detectors

Related information

• Create DLP for Drive rules and custom content detectors
• DLP for Drive rule nested condition operator examples
• View DLP for Drive dashboard incidents, alerts, and audit events
• View DLP content and rule size limits
• DLP for Drive FAQ
• Rules audit log
• How to use predefined content detectors