Skip to content

How to set up Drive DLP in Google Workspace

BetterCloud

March 13, 2025

4 minute read

A hand holds a smartphone displaying the Google Workspace logo, surrounded by icons for Gmail, Meet, Calendar, Drive DLP, and Docs. In the background, cityscape silhouettes appear against a calm blue sky, adding an urban context to the technological theme.

TABLE OF CONTENTS

Protecting sensitive data is no longer a “nice-to-have” for businesses; it’s a critical necessity. Today where new data breaches are reported almost every day and regulatory compliance is stringent, organizations must proactively defend their valuable information.

One of the most effective ways to do this is by leveraging Data Loss Prevention (DLP) for your file-sharing environment. Imagine preventing the accidental or malicious sharing of confidential financial records, proprietary intellectual property, or sensitive customer data with just a few clicks. This guide will walk you through setting up Drive DLP, empowering you to take control of your data security and ensure peace of mind.

Getting started: Enable Data scanning and report in the Google Admin Console

Before diving into rule creation, ensure data scanning and reporting are enabled. This allows you to monitor DLP detectors and gain valuable insights.

Data protection in Google Admin Console

Step 1. Access the Google Admin Console: Log in using your administrator account.

Step 2. Navigate to Security > Data Protection

Step 3. Enable Data Scanning and Reporting: At the bottom of the page, enable the Data scanning and report setting to have your DLP detectors reported in the Data Protection Insights Dashboards (see screenshot below). We recommend you keep this setting ON for audit and compliance purposes.

Understanding DLP detectors, rules, and actions 

DLP operates through a system of detectors, rules, and actions:

  • Detectors: Identify sensitive content (e.g., credit card numbers, keywords).
  • Rules: Define when and where detectors are applied.
  • Actions: Determine what happens when sensitive content is detected (e.g., alerts, blocking).
Data loss protection actions flow

Creating custom detectors

  1. Click Manage Detectors > Add detector
  2. Select Regular expression or a Wordlist (depending on your needs)
  3. Name and configure the custom detector

Creating DLP rules

  1. Go to Manage rules > Add rule
  2. Select New rule or New rule from template
  3. Name and define the Scope of your scans (OUs and groups)
  4. Determine the Triggers of events and set Conditions to define sensitive content as refinement steps.
  5. Determine the Appropriate Actions (Alert, Action, Severity)
  6. Review – Lastly, you get to review the rule and choose whether to activate it or not. After that, your rule has been created.

Examples of DLP rules for Google Drive

Although Google has made it easy to implement DLP rules through default detectors and templates, organizations are able to create their own custom rules and detectors. We will cover an example of each DLP configuration below.

1. Protect Credit Card Numbers with default detectors

Adding a new rule in Google Workspace for DLP

Step 1:  Enter Google Admin Console
Step 2: Access Security > Data Protection > Manage Rule
Step 3: Click Add Rule > New Rule

Select the scope of the rule to apply DLP settings to organizational units

Step 4: Add the name and description for the rule
Step 5: Select the scope of the rule (see screenshot) 

Add specific conditions to define sensitive content in Google Workspace

Step 6: Check the File Modified box and add/select: Field– All content
Value – Matches default detector
Default detector – Global – Credit card number
Likelihood Threshold – Possible
Minimum unique matches – 1
Minimum match count – 1

Select the actions and alerts to enforce in Google Workspace

Step 7: Select the Action and the Alerts you want to enforce

Create a DLP rule in Google Workspace

Step 8: Review and Create Rule

  • Use template to prevent financial information sharing

2. Use template to prevent financial information sharing

Add a rule in Google Workspace settings for DLP

Step 1:  Enter Google Admin Console
Step 2: Access Security > Data Protection > Manage Rule
Step 3: Click Add Rule > New rule from template

Select a template to prevent financial information sharing

Step 4: Select the template “Prevent financial information sharing”
Step 5: Select the scope of the rule
Step 6: Review the conditions and create the DLP rule

3. Protect files containing sensitive keywords (custom detectors)

Add keywords for a custom detector in Google Workspace

Step 1:  Enter Google Admin Console
Step 2: Access Security > Data Protection > Manage Detectors
Step 3: Click Add Detector and select Wordlist
Step 4: Fill out name, description and keywords (see screenshot)
Step 5: Click Manage Rules > New rule
Step 6: Repeat the same process as stated in example 1 and 2.

Pro tip!

  • Use the Investigation Tool to view and review the performance of your DLP events and rules (Enterprise only)
  • Use the Alert center to get a summary of the DLP alerts you have configured.

Secure your Google Workspace today

You can start your free trial today and gain insight into your file-sharing footprint. (Please note that you must have admin rights to your Google Workspace tenant.)

Don’t leave your sensitive data vulnerable. Implement Drive DLP and consider enhancing it with marketplace solutions to create a robust data security strategy. Choose the option that best suits your needs, and start securing your Google Workspace today!

Categories

Related Articles