# 26 DLP rules (Drive/Gmail/Chat)

> v0.1.2 · role: Prevent · edition: Ent Std+ · [policy: #15 · #33](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Data protection rules scan Drive files, Gmail messages and Chat messages for content that matches a detector — card numbers, national IDs, credentials, or a custom regex — and audit, warn or block when that content is shared or sent. A rule is scoped by OU or group, by app, by trigger condition and by detector, and its alerts land in the alert center at the severity you choose. The usual sequence is audit-only to size the false positives, then warn, then block.

Documentation: [About DLP](https://knowledge.workspace.google.com/admin/security/about-dlp)

## Caveats

- A rule that only logs is a detection, not a prevention — it becomes a preventive control when the action moves from Audit to Block, and most tenants never make that move.
- Scan-on-share triggers on the sharing event, not on content at rest — anything already shared before the rule existed is never caught, so pair it with the public-share cleanup (№11).
- Detectors are regex over extracted text — content inside an image, a password-protected archive or a client-side-encrypted file is invisible by construction, which is exactly the CSE trade-off in №69.
- Duplicate rules with conflicting actions are the usual failure mode — review the rules and detectors that already exist before adding more.
- DLP requires Enterprise Standard+, Frontline Standard+, an Education edition or Enterprise Essentials Plus — on Business tiers this screen is absent. Note Gmail DLP is not included in Enterprise Essentials Plus, so the Drive and Gmail gates differ slightly.

## Setup steps

1. Open Data protection and go to Manage rules; review the existing rules and detectors before adding more — duplicate rules with conflicting actions are the usual failure mode. — `Security › Access and data control › Data protection`

2. Start from a template rather than a blank rule for the standard detectors (credit card, national ID, credentials) — under Manage rules choose Add rule > New rule from template and pick the template matching your classified data types. — `Security › Access and data control › Data protection › Add rule > New rule from template`

   docs: [Create data protection rules](https://knowledge.workspace.google.com/admin/security/create-data-protection-rules)

3. Scope the rule: choose the OU (organizational unit) or group, the apps (Drive, Gmail, Chat), the trigger conditions and the content detectors. — `Security › Access and data control › Data protection › Add rule > New rule`

   - **Scope** = all users
   - **Apps** = Drive + Gmail + Chat
   - **Conditions** = content matches detector
   - **Trigger** = file shared externally / message sent externally

   docs: [Create data protection rules](https://knowledge.workspace.google.com/admin/security/create-data-protection-rules) · [Create DLP for Drive rules and custom content detectors](https://knowledge.workspace.google.com/admin/security/create-dlp-for-drive-rules-and-custom-content-detectors)

4. Set the action and the alerting. Run in audit-only mode first to size the false-positive rate, then escalate to block. — `Security › Access and data control › Data protection › Add rule > New rule`

   Action = Audit only (week 1) → Warn → Block (Drive: Block external sharing; Gmail: Block message, outgoing messages only); Alerting severity = High, send to the alert center

## Ongoing maintenance

- **[automatable: AI agent]** Monthly: review DLP alert volume and false positives; tune detectors and thresholds.
- **[requires a human]** Per new data type the org handles: extend detectors and re-run the canary test.

## How to verify

1. Create a canary document containing a synthetic detector hit (test credit-card number), share it externally from a test account, and confirm the rule blocks/warns and raises the alert.

## Settings screens

- Security > Access and data control > Data protection
  - console: https://admin.google.com/ac/dp
  - screenshot: ../screenshots/admin.google.com/ac/dp.png
- Security > Access and data control > Data protection > Manage rules > Add rule > New rule
  - console: https://admin.google.com/ac/dp/createrule
  - screenshot: ../screenshots/admin.google.com/ac/dp/createrule.png
- Security > Access and data control > Data protection > Manage rules > Add rule > New rule from template (pre-built DLP rule templates)
  - console: https://admin.google.com/ac/ax?action_id=RULE_TEMPLATES
  - screenshot: ../screenshots/admin.google.com/ac/ax__action_id-RULE_TEMPLATES.png
