Supported editions for this feature: Frontline Starter and Frontline Standard; Business Standard and Business Plus; Enterprise Standard and Enterprise Plus; Enterprise Essentials and Enterprise Essentials Plus. Compare your edition
The Drive DLP Data protection insights report lists the sensitive data types in your organization, and the Drive files with that sensitive content. This report is offered quarterly.
The Data protection insights report lists the:
- Overall percentage of files containing sensitive content that are being shared externally
- Top data types that are shared
- Number of Drive files that contain sensitive content
- Number of Drive files with sensitive content that are shared externally
- Percentage of files with sensitive content that are shared externally for each data type
The report also contains suggestions for acting on data.
Who can view the data protection insight reports?
These reports are targeted for consumption for the customers who use Google Drive to store data. Customer administrators must have admin privileges to view Admin consoleSecurityAccess and data controlData Protection in order to view these reports.
Learn more about how Google keeps your data private and secure.
How are the data protection insights reports created?
How are reports generated?
Reports are generated based on the regular scans of Drive files. The contents of the file can change since the last scan took effect.
Google periodically performs proactive DLP scans for all Drive files based on a set of detectors to help you detect sensitive data. A set of 50 common detectors is used for detection of sensitive documents to generate the report. Each admin receives a custom quarterly report based on the data in their environment. The detectors used are listed below in Common detectors used to create the Data protection insights report. Go to How to use predefined content detectors for a complete list of detectors.
Reports may have some false positives. While the detectors attempt to leverage the highest available likelihood threshold, there can be instances where detection may be limited based on the files in your applications.
How are externally shared files determined for this report?
Doc sharing that is detected and reported in the insights report for Drive DLP:
- Sharing through an invite or email to a non-Google account
- Sharing through a link that anyone on the web can open
- Sharing to an individual’s Google account
- Sharing to Google groups.
- Sharing from My Drive and Shared drive
- In My Drive, DLP detects the sharing of individual files and the sharing of the parent folder for those files.
- In a Shared drive, DLP detects the sharing of individual files individually and the sharing of the root folder on a Shared drive.
For details on controlling how users in your organization share Google Drive files and folders, go to Set Drive user’s sharing permissions.
What can I do after viewing the insight report?
The insights report doesn't include details on every individual file flagged in the report at this time. The administrator can configure DLP rules to find details on sensitive files that are shared externally. See Create DLP for Drive rules and custom content detectors for details on creating new rules.
For the rest of the Google Workspace editions, the administrator can consider using Drive user sharing permissions to control file sharing. For details on controlling how users in your organization share Google Drive files and folders, go to Set Drive user’s sharing permissions.
How is the insight report related to recommended rules?
DLP recommends rules based on the results of the Data protection insights report. For example, if the report lists passport numbers as a shared data type in your organization, DLP recommends a rule to prevent the sharing of passport numbers.
You receive rule recommendations only if you have the Data protection insights report turned on. Go to Prevent data leaks with Data protection recommended rules for details.
View the Data Protection Insights report if you are a DLP admin
Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:
- Organizational unit administrator privileges.
- Groups administrator privileges.
- View DLP rule and Manage DLP rule privileges. Note that you must enable both View and Manage permissions to have complete access for creating and editing rules. We recommend you create a custom role that has both privileges.
- View Metadata and Attributes privileges (required for the use of the investigation tool only): Security CenterInvestigation ToolRuleView Metadata and Attributes.
Learn more about administrator privileges and creating custom administrator roles.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
Super admins can view the report, change the report on or off setting, and contact sales. Admins with only the View DLP rule privileges can only view the report.
-
In the Admin console, go to Menu SecurityAccess and data controlData protection.
- View the quarterly report. The report is display-only, and cannot be configured or modified.
Turn off or turn on the Data protection insights report
The report is available by default. Super admins can view the report, and turn it on or off. Delegated admins with the View DLP Rule privilege can view the report, but cannot turn it on or off.
You can turn off proactive scans of Drive files and reports if desired.
Learn more about administrator privileges and creating custom administrator roles.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu SecurityAccess and data controlData protection.
- Under Data protection insights setting, select Off.
- Click Save. The reports are now turned off. You can turn it back on by navigating to Data protection insights setting and selecting On. If you turn the report back on, it will display sensitive data information from the beginning of the next quarter.
View the Data protection insights report if you are not a DLP admin
- If you are an admin and have Enterprise or G Suite Business , you will receive an email prompting you to view the quarterly Data Protection Insights report for the current quarter. Click View Report in the email.
Super admins can view the report, change the report on or off setting, and contact sales. Admins with only the View DLP rule privileges can view the report, but not turn it off or on or contact sales.
- On the DLP Home page, you see the report, which lists the number of Drive files with sensitive content for top data types.
- If you have the G Suite Business edition, and would like to use DLP data protection features, you’ll need to upgrade your edition. Click Yes, Contact Me to learn about this upgrade.
Common detectors used to create the Data protection insights report
Fifty common detectors that are used to create the Data protection insights reportGo to How to use predefined content detectors for a complete list of detectors with descriptions for each detector.
Detector names |
Region |
|
United States |
|
Australia |
|
Brazil |
|
Canada |
|
China |
|
France |
|
Germany |
|
India |
|
Japan |
|
Mexico |
|
Netherlands |
|
Spain |
|
United Kingdom |
|
Global |
Related information
- Use Workspace DLP to prevent data loss
- Create DLP for Drive rules and custom content detectors
- DLP for Drive rule nested condition operator examples
- View DLP for Drive dashboard incidents, alerts, and audit events
- View DLP content and rule size limits
- DLP for Drive FAQ
- Rules audit log
- How to use predefined content detectors