Skip to content

How to implement Data Loss Prevention (DLP) For Google Drive

Data Loss Prevention rules help you keep confidential company data safe and secure in Google Drive.

This article is written by Brecht Sannen, Workplace Deployment Engineer at Devoteam G Cloud Belgium

Preventing data breaches & loss of data is quite the challenge nowadays. But what can you do as a company to help identify, classify and protect confidential information from leaking? Find out how you can turn your data into information with Google Workspace and how Data Loss Prevention rules help you keep the confidential company data safe and secure.

Turn your data into information

Getting to know the data you have 

First things first, it is hard to protect information if you don’t know what type of information you currently have, let alone know where it is currently stored! That’s why it’s important to first think about turning your data into information. This is not an easy task as it requires some business analysis to understand what bunch of data (ergo documents, slides & sheets) contain what type of information. For example : Payslip documents are HR information, Customer sheet is sales information, Project kickoff slides are information related to a specific project. 

Classifying information into categories

Once you know what type of information your business possesses, you can move on to classifying this information. Classifying is basically categorizing your information based on how confidential it is. Then, per category, you would need to define a location that has the necessary security settings relevant to the information stored there. 

To give you an example : Kickoff Slides related to a Confidential Project should be on a shared drive where the name starts with “[PROJ]” + Project Name & sharing outside the organization is not allowed

Automate Classification of information

A visual way of classifying your documents is with Google drive labels. Using this functionality, you can show to your users as to what category this data actually pertains. There are ways to automate this process. 

  • 1. You can apply a certain label on an OU or a google group. This would mean that every document created by a user in that OU or group would get this label.
    e.g. Sales team is in the sales OU. A drive label “sales information” is applied on that ou. Hank is in the OU Sales, when he creates a document it is labeled as “sales information”
  • 2. You can apply a certain label based on content. This would mean that if a document has certain content it would be labeled as a specific type of information. 

e.g. A DLP rule exists where every document containing “Confidential”,”Project” or ”NDA” is labeled as “Confidential”. Hank opens up a spreadsheet to summarize his sales. As the word NDA is mentioned in this PDF it is labeled as “Confidential”

Data loss prevention in action

When you know what information is confidential, you can start working on a set of detectors or rules to spot this confidential information. 

Automate the classification of confidential information with Google Workspace

Google Workspace can scan an entire file for regular expressions, a specific word or a wordlist. Google Workspace even has their own predefined set of data (like credit card information)  you can use to spot confidential data. Lastly, using google drive labels, you can set up DLP rules specifically for those classifications of information.  To give you an example, consider the following case :

Company has an information category confidential projects.There is a confidential project called “Stargazer” and any files related to this project are classified according to business needs as information related to a confidential project. The business is therefore instructed to put all files related to that project in a confidential shared drive. A DLP rule is added as a precautionary measure to make sure no information related to the project that is misplaced (for example on somebody’s mydrive) gets shared externally. The DLP rule blocks any document from being shared externally and applies the label “CONFIDENTIAL – Stargazer” if the information contains the word “Stargazer”.

More information about Data loss prevention in Google Workspace can be found here.

How do we do it? 

It is a tricky thing to do on your own and therefore we have developed a strategy that works! We tackle this challenge in 3 phases!


Create Google Business rules


Check with departments heads if the information classification works for them


Organise a change campaign to migrate the data to the right location

  1. Together with business stakeholders we would discuss and create the Google Business rules. The Google Business rules is a template we created to help companies advise their users as to how the google applications, more specifically google drive, should be used in their organization. 
  2. We would discuss the business rules with the department heads/ Managers of the teams and ask them how their information fits in these business rules / Classification of information. We would define the shared drives that are needed and create a mapping as to where the information should be stored. 
  3. We would do a migration of that data to the right location with a change campaign (Q&A’s and training if needed ) explaining the business rules and the value of them to the end-users. Usually this is a move from mydrive to shared drive or from shared drive A to shared drive B. 

After you have done DLP rules for Google drive, make sure you also check out the DLP rules in terms of Chat!

Do you want to discuss your own security challenges with us? 

Get in touch with

Mark De Winne

Google Cloud Business Developer at Devoteam G Cloud