Google DLP Rules

One of the major themes of Amplified IT’s Audit is addressing the fact that the Google Workspace for Education platform is designed with business in mind first and its education usage a very distant second or third. As a result, many of the settings found within the Admin console make a lot more sense when you look at it from a business vantage point of storing their proprietary data on Google’s Cloud. This is why Drive and Docs settings allow you to block sharing documents externally while allowing external users to share with your users, but not the other way around, as would be preferable in an K-12 environment.

This ‘business first’ mentality does have a place within a K-12 domain, however, it is mostly just for those users who are crucial to the business-end of the district. Team members in charge of payroll and human resources who may have personal information stored in files within Google Drive are ideal examples. There are also situations in which confidential content contained within other user’s Google Drives shouldn’t be shared externally. It is these example situations in which Google has developed their DLP rules in mind.

Since its release, Google has made some recent improvements to their DLP system. The new system provides a more flexible deployment while enhancing incident reporting. The new DLP system will work alongside the existing Legacy DLP system, with rules for the new system being in the Admin console under Security > Data Protection and the old system remaining under Rules.

Data loss can happen over more than just Drive file shares. Google has integrated the same pattern recognition methods available for Google Drive into Gmail’s content compliance. Within the content compliance settings, granular mail rules can be configured. These rules can be set to only trigger when single or multiple rules are matched and when used with the Admin quarantine option they can provide an optional release for approved communications.

An additional use for DLP rules, which can be a point of interest for educational institutions, is the use of the rules to search for inappropriate content within Students Google Drives. Aside from Google’s pre-built templates for patterns, such as Social Security numbers or credit card numbers, admin’s have been provided with a blank template where they can create their own DLP rules. In defining the conditions, both OrgUnits as well as Groups can be used to apply the DLP rules, including a Group exemption option. Regular expressions can also be used to search for patterns within the document, although it should be noted that the max length of a single Regular expression using DLP rules is 200 characters.

For those looking for a way to leverage the DLP rules for scanning for inappropriate content, Amplified IT, together with members of the North American Google Technical Collaborative, have created a Google Sheet has built our own objectionable content list with the use of this regex generator. The full Objectionable Content list is not suitable for all audiences, however, you can request access to the list we have created, here.

With enabling Google’s data loss prevention, there are some very major implications. With DLP enabled on any level of the domain, it currently prevents use of Google Forms document attachment functionality, both inside the organization and out. This is regardless of if the DLP rule is affecting the user which is attempting to upload the file. File submission is a highly used function within Google Classroom for assignments and is something to be aware of before testing DLP rules on your domain. There is a feature request post to correct this behavior that can be found here.

For some, this limitation is too much. They see the need for DLP, but don’t want to hinder classroom teachers and others that are accustomed to using Google Forms to collect data from their users. When trying to consider which is more critical, it can be an impossible situation. But there is another option. There are third party DLP companies which work with Google and which don’t find themselves with the same Google Form limitation. Amplified IT partners with SysCloud and feels that their near real time Google Drive scans designed to programmatically revoke sharing for files stored in Google Drive which match defined fills the need for those schools which are torn between form uploads and DLP settings.


DLP is something which Google is continuing to improve. As they bring in a new interface along with added flexibility and better reporting, the control over content contained within Google Drive and how it is shared improves with it. If you would like more information on DLP or would like a demo of Syscloud, our partner services team will be happy to help.

  • Stephen Gale
    Technical Support Analyst

  • About the Author:

    Stephen lives in Utah and enjoys the puzzle of investigating users’ problems and finding potential solutions. A recovering/reformed gamer, Stephen throws himself into his passion for staying on top of all things Chrome OS and Chromebook related. Prior to joining Amplified IT, Stephen served as a network admin in a therapeutic boarding school and an IT director, where he implemented Google Workspace for Education. Stephen has studied computer science and security at Weber State University, Western Governors University. A self-anointed honor, Stephen likes Chromebooks more than almost anyone else in the world.