This feature is available with G Suite Enterprise, G Suite Enterprise for Education, G Suite for Education, and G Suite Essentials editions. Compare editions
This FAQ applies to new DLP for Drive only. Also, this release refreshes DLP for Drive only. There is no change to DLP for Gmail scans at this time.
Overall new Drive for DLP FAQsWhich predefined content detectors are supported?
DLP for Drive supports a large number of predefined detectors. We’ll support more as DLP evolves.
No. We can't guarantee that all sensitive data will get caught and flagged. The DLP-detection system translates predefined templates into regular expressions and uses additional content parameters to determine the probability of a match. There might be false positives and negatives, which are triggered by many factors.
Yes. All files are scanned anytime a rule is added or modified. Scanning the files can take a few hours, a day, or longer depending on a variety of factors, including the number of files in the domain.
Tip: If you add or modify a rule, DLP will scan the latest revision of previously uploaded files. This includes modifying a custom content detector that is used in a rule.
Yes. To help ensure sensitive content is detected, the scanning process sometimes scans documents twice. So, the number of files affected by a rule change can vary between scans.
It takes 24 hours for a DLP policy to take effect.
Yes. Rules you create with the new DLP are separate from the DLP rules you created under Rules in the Admin console home page for legacy DLP Drive. The new DLP rules coexist with those rules.
You can manually copy rules by creating a new rule in the DLP and then deleting the legacy DLP rule.
There are file sharing triggers for Drive.
There is no API access at this time.
If a user attaches a Drive file to email from "Insert files using Drive", DLP rules with the trigger "Message being sent" do not apply. However, if Google Drive sharing is also selected as trigger, those rules apply to the Drive files prior to email attachment.
The stricter action will prevail whether or not you defined the action in legacy DLP or the new DLP rules. In this example, Social Security numbers are blocked.
Use the security investigation tool. Go to Investigation tool for details.
The entire content of each file or doc is scanned. This includes suggestions and the entire doc or file itself.
Yes, you can create an audit-only rule. You can create an audit-only rule to test rules you create in the new DLP. This allows you to test the potential impact of a rule. Like all rules, these rules trigger, but in this case take no action but to write results to the Rule audit report. Go to Create and maintain DLP rules and custom content detectors, Use audit-only rules to test rule results (optional, but recommended). Also, go to Rules audit log or the investigation tool, for audit log details. Both the Rules audit log and the investigation tool show entries for triggered DLP rules.
Admins can receive up to 50 alerts per rule per day. They receive alerts until this threshold is met.
No. A scan is triggered if content is modified. Adding more recipients to an alert does not trigger a scan.
Yes, there is a file size limit. It is 1MB, and here is how it works.
DLP converts Drive files into a scannable format, which includes file content and file format data, and then scans the resulting file. For a converted file larger than 1MB, DLP scans only the first 1MB of the converted file. Files that are larger than 10MB are not converted or scanned by DLP.
These FAQs apply to the ability to disable download, print and copy for commenters and viewers only.
When you specify an optional action during rule creation, the setting Beta: Disable download, print, and copy for commenters and viewers uses prevents a user from downloading, printing, and copying unless the user has the editor privilege or greater. These restrictions comprise DLP Information Rights Management (IRM), which uses Drive sharing settings as policies. These Drive sharing settings are described in Restrict sharing options on Drive files. As an administrator, what customization can I add to end user messages for these restrictions?
Users get default messages from Drive.
Admins can write two policies using the same conditions, but each policy can have separate actions. For example, the first policy can block external access to content. unshare external links while the second policy can apply IRM to the same content.
A client can't download a file that violates a these policies.
No. This rule action is applied to view and comment roles.
When the user opens the document to edit it. If the admin applied these restrictions using an action in a DLP rule when the user is already viewing the document, it won't take effect until the document reloads.
- Prevent data loss using new DLP for Drive
- Create new DLP for Drive rules and custom content detectors
- New DLP for Drive rule nested condition operator examples
- View new DLP for Drive dashboard incidents, alerts, and audit events
- Migrate rules from legacy DLP to new DLP for Drive
- View DLP content and rule size limits
- Rules audit log
- How to use predefined content detectors