← All controls

26 DLP rules (Drive/Gmail/Chat)

Data protection rules scan Drive files, Gmail messages and Chat messages for content that matches a detector — card numbers, national IDs, credentials, or a custom regex — and audit, warn or block when that content is shared or sent. A rule is scoped by OU or group, by app, by trigger condition and by detector, and its alerts land in the alert center at the severity you choose. The usual sequence is audit-only to size the false positives, then warn, then block.

Caveats

Setup steps

  1. open ↗
    Admin console screen — Security > Access and data control > Data protection

    https://admin.google.com/ac/dp · captured 2026-07-15

    Security › Access and data control › Data protection
  2. open ↗ Security › Access and data control › Data protection › Add rule > New rule from template

    Create data protection rules ↗

  3. open ↗ Security › Access and data control › Data protection › Add rule > New rule
    Scope
    all users
    Apps
    Drive + Gmail + Chat
    Conditions
    content matches detector
    Trigger
    file shared externally / message sent externally

    Create data protection rules ↗ Create DLP for Drive rules and custom content detectors ↗

  4. Security › Access and data control › Data protection › Add rule > New rule

    Action = Audit only (week 1) → Warn → Block (Drive: Block external sharing; Gmail: Block message, outgoing messages only); Alerting severity = High, send to the alert center

Ongoing maintenance

How to verify

  1. Create a canary document containing a synthetic detector hit (test credit-card number), share it externally from a test account, and confirm the rule blocks/warns and raises the alert.

v0.1.2Preventedition Ent Std+ policy #15 · #33 ↗