Security advisor for data protection

Supported editions for this feature: Frontline Plus; Business Plus; Enterprise Standard and Enterprise Plus. Compare your edition

With Security advisor’s data protection feature, you can warn (or block) your users when they try to share sensitive data outside your organization. You can protect against sharing of the following data type categories:

  • Personal identifiable information (PII)—email addresses, Social Security numbers, full names and addresses
  • Financial data—Bank account numbers, credit card numbers
  • Healthcare data—National insurance numbers
  • Global sensitive data—IMEI numbers, IP addresses

Security advisor for data protection helps keep your Google Drive files and Gmail messages secure as you work. When you create or share content, it can identify sensitive information and warn you before this data leaves your organization.

Default settings

Default Security advisor data protection settings vary according to your Google Workspace edition.

For all accounts that have DLP enabled (Frontline Plus, Business Plus, Enterprise Standard, and Enterprise Plus):

  • Data protection is ON by default (Warn mode) for new accounts.
  • Older accounts might have different default settings. For details on turning on data protection, go to the next section. For details on previous settings, go to Turn on recommended settings.

View Security advisor data protection settings

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and thenSecurity > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. In the Security advisor section, click Go to security advisor for data protection.

    The main settings page shows the four data type categories:

    • Personal identifiable information (PII)
    • Financial data
    • Healthcare
    • Global sensitive data

    Each category contains a subset of data types. You can apply a setting to the category as a whole, or make custom settings for each data type in the category.

Change Security advisor data protection settings

Expand section | Collapse all

About data types

Security advisor for data protection data types are a subset of the predefined content detectors that are available in Workspace’s data loss prevention (DLP) feature. For details on a specific data type:

  1. Go to How to use predefined content detectors.
  2. Locate and expand the category that matches the data type. For example, for Canada - Passport, expand the Canada section.
  3. Locate the specific detector in the table.
Apply a setting to a data type category as a whole
  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and thenSecurity > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. In the Security advisor section, click Go to security advisor for data protection.
  4. For the data type category that you want to apply a setting to, select Warn users, Block users, or Off.

The category-level setting applies to all the data types in the category and resets any customized settings that you have made to individual data types in the category.

Apply settings to specific data types within a category
  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and thenSecurity > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. In the Security advisor section, click Go to security advisor for data protection.
  4. For the data type category, select Customize.

    The data types in that category are shown.

  5. For the data type that you want to apply settings to, select Warn users, Block users, or Off.
  6. Click Back to return to the main settings page.

The data type category setting changes to Customized to indicate that you’ve made individual settings for that category.

Apply different settings to Drive and Gmail
  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and thenSecurity > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. In the Security advisor section, click Go to security advisor for data protection.
  4. For the data type category that you want to apply settings to, select Customize.

    The data types in that category are shown.

  5. For the data type, select Customize.

    The Select the Action by app box opens.

  6. For Drive and Gmail, select Warn users, Block users, or Off.
  7. Click Save.
  8. Click Back to return to the main settings page.

The data type category setting changes to Customized to indicate that you’ve made individual settings for that category.

Edit default data protection rules

Security advisor data protection settings have associated default data protection rules, which you can view and edit. For Frontline Plus, Enterprise Standard, and Enterprise Plus, admins can customize or create rules beyond the default.

  • For default rules, editing is limited—you can change the action associated with the data protection setting (Warn, Block), or turn the rule on or off.
  • For Frontline Plus and Enterprise customers, we recommend reviewing the default protection rules to ensure that they don’t conflict with any existing DLP custom rules you may already have in effect.

To edit a default protection rule:

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and thenSecurity > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. To show default rules:
    • (Frontline Plus and Enterprise) In the Data protection rules and detectors section, click Manage rules.
    • (Business Plus) In the Data protection rules section, click Manage rules.

    In the rule list, Security advisor data protection rules have a [Default] prefix.

  4. (Optional) To turn a rule on or off from the rule list, change the setting in the Status column to Active or Inactive.

    Note: This is equivalent to turning the setting to Off in Security advisor data protection settings.

  5. (Optional) Click a default rule to open its settings page.
    • At the left, click the status menu to make a rule Active or Inactive.

To change actions for the data type, go to Apply settings to specific data types within a category on this page.

Any changes you make to the default rules are shown in the rule status in Security advisor data protection settings.

Known Gmail DLP Security advisor limitations

  • Google Groups alias email addresses are treated as internal recipients. If the Google Group includes external members, Security advisor rules intended for external messages aren’t applied.
  • Security advisor rules in Warn mode don’t apply to Google Groups. If a message is sent on behalf of a Google Group, these rules aren't applied.
  • Security advisor rules don’t apply to email addresses or phone numbers in Gmail messages.

Related article

About DLP

Was this helpful?

How can we improve it?
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.