Stop data loss with DLP

Apply Drive labels automatically with DLP rules

Supported editions for this feature: Business Standard and Business Plus; Enterprise Starter, Enterprise Standard, and Enterprise Plus; Education Standard and Education Plus; Essentials, Enterprise Essentials, and Enterprise Essentials PlusCompare your edition

Drive DLP and Chat DLP are available to Cloud Identity Premium users who also have a Google Workspace license. For Drive DLP, the license must include the Drive log events.

As an admin, you can use data loss prevention (DLP) rules to automatically apply labels to Drive files based on detection of sensitive content. The label and data names in the examples in this article are not actual data native to label manager or DLP.

DLP for Drive label rule conditions

You can use Drive labels in rule conditions.

The following conditions are supported:

  • Check for the presence of a label.
  • Check for the presence of one or more Options list Field values when the Options list Allow multiple selections setting is disabled.
  • Negate the above conditions.

The following conditions are not supported:

  • Check the Options list field values when the Options list Allow multiple selections setting is enabled.
  • Check the values of other field types, for example, Number, Date, Text, or Person.

DLP for Drive label rule actions

Apply a Drive label as an automatically applied DLP action. When the DLP rule is triggered, DLP applies labels as an action to Drive files that meet the rule criteria. 

The following rule action is supported:

  • Apply a label and Options list field value when the Options list Allow multiple selections setting is disabled.

The following rule actions are not supported:

  • Apply a label but not a field value. However, you can configure default classification settings to apply a label to newly created files and files that change ownership. For details, go to Apply classification labels to new files automatically.
  • Apply a label and Options list field when the Options list setting Allow multiple selections setting is enabled.
  • Apply a label with other field types, for example, Number, Date, Text, or Person.

Before you begin

Expand all  |  Collapse all

Understand and create Drive labels

Before you can use Drive labels with DLP rules:

  1. Understand the purpose and functionality of Drive labels. For details, go to Get started as a Drive labels admin.
  2. Create labels, or know of existing labels you want to use.
Use DLP rules or default classification to automatically apply labels?

Use DLP rules to automatically apply labels if you need to use specific conditions or actions for applying labels. If you only want to apply labels to new files when they are created by specific users, use Data classification settings.

How default classification labels work

  • Applies labels to new files and when the ownership of a file changes. Default classification doesn’t retroactively apply labels to existing files unless the file owner changes.
  • Applies labels based on the file owner’s organizational unit or group. Default classification doesn’t search the file content or metadata for certain conditions.
  • If users have permission to change a label, they can change it or remove it after it’s automatically applied.
  • Only labels with an options list field are supported for default classification.
  • Default classification labels are overwritten by DLP-set labels, even if the data classification value is higher in the options list.

How labels set by DLP rules work

  • Applies labels to new and existing files.
  • Applies labels based on conditions such as file type, word matches, and string matches. DLP rules don’t accept organizational unit or group as a condition.
  • You can’t apply a label with a DLP rule that uses a label as a condition.
  • You can prevent users from changing the label, even if they have permission to change it. If they change it, DLP will scan the file again immediately and revert to the DLP label configuration.
  • External users can’t view the version history of files that had a label applied to them by a DLP rule at any point. 
  • DLP rules can apply labels with options list fields, including badged labels.

How AI classification labels work

  • Applies labels to new and existing files.
  • Only labels with one options list field with 2–4 values are supported for AI classification.
  • Applies labels after a training period. During the training period, designated labelers apply a training label to at least 100 files per field option.
  • AI classification labels are overwritten by DLP-set labels, but overwrite default classification labels.
Know how rule conflicts are resolved

Label values set by DLP rules take priority over AI classification, and both take priority over default classification.

When 2 or more of the same kind of rules try to apply different label values to the same file, the value that's higher in the label's options list is applied. For example, you might have a label with a field that has 3 options listed in the label manager: 

  1. Confidential
  2. Internal
  3. Public

If Rule 1 tries to set the label as Confidential, and Rule 2 tries to set the label as Public for the same file, Confidential (Rule 1) is applied. Make sure that a label's field options are listed in your preferred order of priority before setting up rules.

Set up a DLP rule to apply a Drive label

  1. Begin following the steps in Create DLP for Drive rules and custom content detectors to create a rule.
  2. When you get to the Triggers section, select Google Drive and click Continue.
  3. Configure conditions and click Continue. Note: You can’t use a Drive label as a condition for a rule that applies Drive labels.
  4. In the Actions section, select Apply Drive labels. If this option isn’t available, make sure that you didn't enter a Drive label as a condition.
  5. Specify the details for the Drive label that you want to apply. Only badged labels and standard labels with Options list field type are supported. For details, see Get started as a Drive labels admin.
  6. Choose whether users who have permission to change the label can change the label and field values applied by this DLP rule. Only available for labels with single field options. Users must have permission to change the label in the label manager.
    • When set to Allow, DLP doesn’t change labels and field values set by users. However, DLP will reapply labels and field values that are removed by the user.
    • When set to Don’t allow, if a user changes or removes the label applied by this DLP rule, the change causes DLP to scan the file again and revert to the DLP rule’s label configuration.
  7. Continue configuring your rule. If desired, you can add another label by clicking Add label.

Working with DLP rules and Drive labels

Understand label locking

Labels, fields, and field options that are associated with DLP rules are locked in the label manager. This prevents edits to labels or fields that could break business policies. Unlock the label, field or field option by removing it from all DLP rules.

Edits in the label manager such as: 

  • Renaming or adding new fields or field options are allowed. 
  • Disabling or deleting labels, fields, or field options that are used in DLP rules are not allowed. Admins with the Manage Labels privilege can see if a label is used in a rule, but can’t see the rule itself unless they have the required privileges.

You can’t create DLP rules with disabled labels, fields, or field options, even in drafts of published labels.

Undo a global change to Drive labels

If you accidentally apply a label (or a label and field values) to a broad range of files through a DLP rule, you can use DLP to clean up those changes.

To do so, disable the DLP rule that applied the change. The rule automatically removes the label and any field values. Or, edit the DLP rule in question to remove the Apply label action. This also removes the label and field values applied by the rule. Applying this change may take a few minutes, a few hours, or more - depending on how many documents need to be updated.

An exception to this clean-up occurs if you use the Select whether users are allowed to change label and field values applied to their files – Allow option. The labels and fields modified by DLP rules are removed, but the user-modified labels and field values remain intact.

Check the Drive audit log to verify actions

If you want to investigate what changed in a file, check the Drive audit log. The column Event Description lists the DLP actions, such as DLP Rule applied Label Contract. Go to Drive audit log for details.

DLP scans are taking longer than I expect. What's going on?

Using DLP to apply labels automatically gives you the power to make changes to multiple documents on Drive. This can result in more files being affected than you expect. Rules that update a large number of files can take longer to process than rules that only affect a small number of files. You might want to test a rule that applies a label on a small sample before applying it at large.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu