Stop data loss with DLP

DLP for Drive FAQ

Frequently asked questions for DLP for Drive

Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; Enterprise Essentials Plus. Compare your edition

Drive DLP and Chat DLP are available to Cloud Identity Premium users who also have a Google Workspace license. For Drive DLP, the license must include the Drive log events.

Expand all  |  Collapse all

Overall Drive for DLP FAQ

Which predefined content detectors are supported?

DLP for Drive supports a large number of predefined detectors. We’ll support more as DLP evolves.

Is detection 100% guaranteed?

No. We can't guarantee that all sensitive data will get caught and flagged. The DLP-detection system translates predefined templates into regular expressions and uses additional content parameters to determine the probability of a match. There might be false positives and negatives, which are triggered by many factors. In addition, not all file types are eligible for scanning and rule evaluation.

When rules are modified or added, does the system scan previously created files?

Yes. We attempt to scan all files anytime a rule is added or modified. However, not all file types are eligible for scanning. Scanning the files can take a few hours, a day, or longer depending on a variety of factors, including the number of files in the domain. 

Tip: If you add or modify a rule, DLP will scan the latest revision of previously uploaded files. This includes modifying a custom content detector that's used in a rule.

Could a file be scanned more than once?

Yes. To help ensure sensitive content is detected, the scanning process sometimes scans documents twice. So the number of files affected by a rule change can vary between scans.

How long does it take before a DLP policy takes effect?

It can take up to 24 hours for a DLP policy to take effect.

What rule triggers are available in Drive DLP?

File modification is the trigger for Drive DLP. In addition, Google Forms scans files uploaded as question submissions during the form-submission process.

Can I use an API to create and manage DLP rules?

There is no API access at this time.

Do DLP rules apply to Drive files attached in email?

If a user attaches a Drive file to email from "Insert files using Drive", DLP rules with the trigger "Message being sent" don't apply. However, if Google Drive sharing is also selected as trigger, those rules apply to the Drive files prior to email attachment. 

What happens if I have similar detection rules with different response actions? For example, if in one rule, I have a Social Security Number rule to quarantine messages and documents, and later I create a rule to block Social Security Numbers?

The stricter action will prevail. In this example, Social Security Numbers are blocked.

How can I investigate rules and their past results?

Use the security investigation tool. Go to Security investigation tool for details. 

What content is scanned in each Drive file?

The first 1 MB of each file or doc is scanned, except for comments (open or resolved), which aren't supported by DLP. For details, go to Is there a size limit on the Drive files that DLP can scan?

For more information on what types of files are scanned, go to Applications and file types scanned by DLP.

Can I create test DLP rules?

Yes, you can create an audit-only rule to test rules you create in the new DLP. This allows you to test a rule's potential impact. Like all rules, these rules trigger, but in this case, they take no action except to write results to the Rule audit report. Go to Use audit-only rules to test rule results (optional, but recommended). Also, go to Rule log events or the Security investigation tool for log event data. Both the Rule log events and the Security investigation tool show entries for triggered DLP rules.

How many alerts can admins receive?

Admins can receive up to 50 alerts per rule per day. They receive alerts until this threshold is met.

If I add recipients to a rule alert, does that trigger a scan?

No. A scan is triggered if content is modified. Adding more recipients to an alert does not trigger a scan.

Is there a size limit on the Drive file content that DLP can scan?

Yes, it's 1 MB. Here's how it works:

DLP converts Drive files into a scannable format, which includes file content and file format data, and then scans the resulting file. For a converted file larger than 1 MB, DLP scans only the first 1 MB of the converted file. Files that are larger than 50 MB aren't converted for scanning. Also, some files larger than 10 MB might not be converted. DLP will scan a file's title and labels for files of all sizes.

Do DLP rules apply to both My Drive and shared drives?

Yes. For files in My Drive, the DLP policy that applies to the file owner is in effect. For files in a shared drive, the shared drive is considered the file owner, and the DLP policy that applies to the shared drive is in effect.

When are alerts triggered?

Alerts are triggered when sensitive content, as defined by a DLP rule, is detected in a file. This can happen when either the file or the rule is created (if the content already exists). The actual sharing of the file doesn't trigger alerts. 

What does "Triggering user" indicate in a DLP alert? Why is it blank sometimes?

A "Triggering user" is the last user whose change to the document resulted in a DLP scan. It's only populated when the DLP scan happens due to a document change (for example, it isn't set when the scan happens due to a policy change).

Prevent commenters and viewers from downloading, printing, or copying files FAQ

This FAQ applies to the ability to disable download, print and copy for commenters and viewers only.

When you specify an optional action during rule creation, the Disable download, print, and copy for commenters and viewers setting prevents a user from downloading, printing, and copying unless the user has the editor privilege or greater. These restrictions compose DLP Information Rights Management (IRM), which uses Drive sharing settings as policies. These Drive sharing settings are described in Limit how your files are shared.

As an administrator, what customization can I add to end user messages for these restrictions?

Users get default messages from Drive.

I want to unshare a link on the file and apply these restrictions to the same content. How can I do that?

Admins can write two policies using the same conditions, but each policy can have separate actions. For example, the first policy can block external access to content, while the second policy can apply IRM to the same content.

How do these restrictions apply to Drive for desktop?

A client can't download a file that violates these policies.

Can I apply this restrictive action to editors of a specific drive document?

No. This rule action is applied to view and comment roles.

Do these restrictions apply to My drive and shared drives?

Yes.

Does Gemini respect DLP IRM policies?

Yes, Gemini can access only content that the user has access to. If a user isn't allowed to download, print, or copy files based on the IRM policy, Gemini can't access those files or their content on the user's behalf.

When is a document checked for these restrictions?

When the user or Gemini tries to access the document. If the admin applied these restrictions using an action in a DLP rule when the user is already viewing the document, it won't take effect until the document reloads.

Do these restrictions prevent printing in Preview mode?

No.

Related information

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
15369317375226267236
true
Search Help Center
true
true
true
true
true
73010
false
false