Use new DLP for Drive

New DLP for Drive FAQ

Frequently asked questions for new DLP for Drive

This feature is available with G Suite Enterprise, G Suite Enterprise for Education, G Suite for Education, and G Suite Essentials editions. Compare editions

This FAQ applies to new DLP for Drive only. Also, this release refreshes DLP for Drive only. There is no change to DLP for Gmail scans at this time.

Open all   |   Close all

Overall new Drive for DLP FAQs

Which predefined content detectors are supported?

DLP for Drive supports a large number of predefined detectors. We’ll support more as DLP evolves.

Is detection 100% guaranteed?

No. We can't guarantee that all sensitive data will get caught and flagged. The DLP-detection system translates predefined templates into regular expressions and uses additional content parameters to determine the probability of a match. There might be false positives and negatives, which are triggered by many factors.

When rules are modified or added, does the system scan previously created files?

Yes. All files are scanned anytime a rule is added or modified. Scanning the files can take a few hours, a day, or longer depending on a variety of factors, including the number of files in the domain. 

Tip:  If you add or modify a rule, DLP will scan the latest revision of previously uploaded files. This includes modifying a custom content detector that is used in a rule.

Could a file be scanned more than once?

Yes. To help ensure sensitive content is detected, the scanning process sometimes scans documents twice. So, the number of files affected by a rule change can vary between scans.

How long before a DLP policy takes effect?

It takes 24 hours for a DLP policy to take effect.

Are DLP rules I create in legacy DLP Drive separate from rules I create in the new DLP?

Yes. Rules you create with the new DLP are separate from the DLP rules you created under Rules in the Admin console home page for legacy DLP Drive. The new DLP rules coexist with those rules.

Can I move my legacy DLP rules to Drive DLP?

You can manually copy rules by creating a new rule in the DLP and then deleting the legacy DLP rule.

What rules triggers are available in the DLP?

There are file sharing triggers for Drive.

Can I use an API to create and manage DLP rules?

There is no API access at this time.

Do DLP rules apply to Drive files attached in email?

If a user attaches a Drive file to email from "Insert files using Drive", DLP rules with the trigger "Message being sent" do not apply. However, if Google Drive sharing is also selected as trigger, those rules apply to the Drive files prior to email attachment. 

What happens if I have similar detection rules on older DLP and new DLP with different response actions? For example, if in older DLP, I have a Social Security Number rule to quarantine messages and documents, and in new DLP, I have a rule to block Social Security Numbers.

The stricter action will prevail whether or not you defined the action in legacy DLP or the new DLP rules. In this example, Social Security numbers are blocked.

How can I investigate rules and their past results?

Use the security investigation tool. Go to Investigation tool for details. 

What content is scanned in each Drive file?

The entire content of each file or doc is scanned. This includes suggestions and the entire doc or file itself. 

Can I create test DLP rules?

Yes, you can create an audit-only rule. You can create an audit-only rule to test rules you create in the new DLP. This allows you to test the potential impact of a rule. Like all rules, these rules trigger, but in this case take no action but to write results to the Rule audit report. Go to Create and maintain DLP rules and custom content detectors, Use audit-only rules to test rule results (optional, but recommended). Also, go to Rules audit log or the investigation tool, for audit log details. Both the Rules audit log and the investigation tool show entries for triggered DLP rules.

How many alerts can admins receive?

Admins can receive up to 50 alerts per rule per day. They receive alerts until this threshold is met.

If I add recipients to a rule alert, does that trigger a scan?

No. A scan is triggered if content is modified. Adding more recipients to an alert does not trigger a scan.

Is there a size limit on the Drive files that DLP can scan?

Yes, there is a file size limit. It is 1MB, and here is how it works.

DLP converts Drive files into a scannable format, which includes file content and file format data, and then scans the resulting file. For a converted file larger than 1MB, DLP scans only the first 1MB of the converted file. Files that are larger than 10MB are not converted or scanned by DLP.

Do DLP rules apply to both My Drive and Shared drives?

Yes.

Beta: Prevent commenters and viewers from downloading, printing, or copying files FAQs

These FAQs apply to the ability to disable download, print and copy for commenters and viewers only.

When you specify an optional action during rule creation, the setting Beta: Disable download, print, and copy for commenters and viewers uses prevents a user from downloading, printing, and copying unless the user has the editor privilege or greater. These restrictions comprise DLP Information Rights Management (IRM),  which uses Drive sharing settings as policies. These Drive sharing settings are described in Restrict sharing options on Drive files

. As an administrator, what customization can I add to end user messages for these restrictions?

Users get default messages from Drive.

I want to unshare a link on the file and apply these restrictions to the same content. How can I do that?

Admins can write two policies using the same conditions, but each policy can have separate actions. For example, the first policy can block external access to content. unshare external links while the second policy can apply IRM to the same content.

How do these restrictions apply to DriveFS/Backup and Sync?

A client can't download a file that violates a these policies.

Can I apply this restrictive action to editors of a specific drive document?

No. This rule action is applied to view and comment roles.

Does these restrictions apply to My drive and Shared drives?

Yes.

When is a document checked for these restrictions?

When the user opens the document to edit it. If the admin applied these restrictions using an action in a DLP rule when the user is already viewing the document, it won't take effect until the document reloads.

Do these restrictions prevent printing in Preview mode?

No.

Related information

Was this helpful?
How can we improve it?