Create data protection rules

Receive notifications about Drive, Gmail, Chat, Calendar, and Chrome activity

Supported editions for this feature: Frontline Standard and Frontline Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, and Education Plus; Enterprise Essentials Plus. Compare your edition

Drive DLP and Chat DLP are also available to Cloud Identity Premium users who also have a Google Workspace license (Enterprise, Business, or Education editions).

DLP for Chrome is available if you have the Chrome Enterprise Premium add-on.

Data protection rules, also known as DLP rules, are custom rules that are created by domain administrators from the rules page. These rules specify what sensitive content to scan for, when to scan files or messages, and the actions to take when sensitive content is found.

Create a data protection rule

  1. In the Google Admin console, go to Menu and then Rulesand thenCreate ruleand thenData protection.

    Requires having the View and Manage DLP rule privileges.

  2. Enter the name and (optionally) a description for the rule.
  3. In the Apps section, choose the apps that you want to protect data in and the events that will trigger your rule:
    • Google Chat: This rule applies to messages or files uploaded by users.
    • Google Drive: This rule applies to the files owned by users.
    • Gmail: This rule applies to the messages sent by users.
    • Calendar (beta): This rule applies when users create or modify Calendar events.
    • Chrome: This rule applies when users take specific actions with the content (for example, upload content).
  4. (Optional) To verify that Optical Character Recognition (OCR) is turned on, click Check. To change the OCR status, select or clear the check box for your app, and click Save.
  5. Click Continue.
  6. In the Actions section, select the action to occur if sensitive data is detected in the scan. The available actions will depend on the apps you chose.
  7. (Optional) To specify how incidents are plotted in the DLP Incident dashboard, in the Alerting section, choose a severity level (Low, Medium, High).
  8. (Optional) To trigger notifications in the Alert center, check the Alert center box. To send a notification to administrators, check the All super admins box or add the email addresses of recipients.
  9. Click Continue.
  10. For Scope, choose an option:
    • To apply the rule to your whole organization, select All in domain.name.
    • To apply the rule to specific organizational units or groups, select Organizational units and/or groups and include or exclude organizational units and groups.

    If there's a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.

  11. (Optional) In the Content conditions section, click Add Condition, set the content type to scan (for example, All content), and choose what to scan for (for example, Matches predefined data type).
  12. (Optional) Add more conditions, using AND, OR, or NOT operators. For details, go to Examples of DLP rules with nested condition operators.
  13. (Optional - Drive and Chrome only) To add context-aware access conditions, select an access level from the list, or create a new access level. For details, go to Create Context-Aware access levels and Combine DLP rules with Context-Aware Access conditions.
  14. Click Continue and review the rule details.
  15. For Rule status, choose an option:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Securityand thenAccess and data controland thenData Protectionand thenManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  16. Click Create.
Changes can take up to 24 hours but typically happen more quickly. Learn more

Create a data protection rule using a predefined template

Templates enable you to choose from a list of recommended rules that are based on common use cases and best practices. For example, there are rule templates to prevent the sharing of financial information, health information, and personally identifiable information.

You can create a rule based on the default settings of a template, or you can customize the template to change the scope, conditions, actions, or alerts.

  1. In the Google Admin console, go to Menu and then Rulesand thenTemplates.

    Requires having the View and Manage DLP rule privileges.

  2. Click one of the predefined templates in the list—for example, Prevent financial information sharing (International) or Prevent health information sharing (US).
  3. Click Continue to review the settings. You can accept the default template settings, or you can customize the template to change the actions, scope, or conditions.
  4. Click Continue and review the rule details.
  5. For Rule status, choose an option:
    • Active—Your rule runs immediately.
    • Inactive—Your rule exists, but is not in effect. This gives you time to review the rule and share it with team members before implementing. Activate the rule later by going to Securityand thenAccess and data controland thenData Protectionand thenManage Rules. Click the Inactive status for the rule and select Active. The rule runs after you activate it, and DLP scans for sensitive content.
  6. Click Create.
Changes can take up to 24 hours but typically happen more quickly. Learn more