Best practices for automated DLP policies in Google Drive

19/02/2025

—

Let’s face it: automated Data Loss Prevention (DLP) policies are really the only way to keep your organization’s data safe in Google Drive. Because auditing and managing file access manually across a busy company is impossible.

Employees are focused on their own tasks and deadlines, and sometimes it’s just quicker to share files with “Anyone with the link,” even if they mean well. People also share files with their private @gmail.com address before leaving the company more often than you’d think. Sometimes it’s because they feel they own the project they’d been working on, sometimes it’s because they don’t want to lose access to the information that could be useful to them in their new job. Needless to say, you don’t want them using your company’s data while working for a competitor!

Automating DLP policies saves time and protects your organization from insider threats — whether it’s accidental or intentional sharing of sensitive files. Plus, these policies help ensure you stay compliant with data protection regulations and avoid hefty fines.

We give you a step-by-step plan to automated security policies that can save your organization from data leaks. Implement these policies in the Florbs File Security for Google Drive and never worry about unauthorized access to your company’s files again.

Step 1: Clean up legacy file access

The principle of Just in Time Access is a fundamental best practice in data protection regulations, and it’s something every organization should adopt. Why should users retain access to files when they no longer need it? Files that remain inactive for extended periods can pose unnecessary risks, especially when external users still have access to them.

Legacy data can be particularly tricky if your company’s security was not as strict in the past: you risk exposing something that was acceptable then but could cause problems now. By setting up automated rules, you can ensure that access to files is removed as soon as they’re no longer needed, minimizing these risks without manual intervention.

To prevent any work disruptions, you can set up automated policies to remove access step by step. Start by revoking sharing with personal accounts — since that’s rarely a good idea — then change Editors to Viewers, and gradually restrict access for files that haven’t been opened or updated in a long time. This way, permissions are tightened without interrupting ongoing work. And if someone does need access after all, they can always request it!

Files inactive for over 1 month:

• Remove sharing with personal accounts.

Files inactive for over 6 months:

• Change all Editors to Viewers.

• Prevent Viewers and Commenters from downloading, printing, and copying files. 

Files inactive for over 1 year:

• Remove “Anyone with the link” access.

• Remove “Domain with the link” access.

Files inactive for over 2 years:

• Remove all external sharing.

Step 2: Prioritize high-risk files

Certain parts of your organization’s Google Drive are inherently higher risk than others — such as specific shared drives (think of Management or Legal teams drives), or a specific folder (e.g. “Client contracts”).

These often contain highly sensitive data that could cause significant harm if exposed. To mitigate these risks, implement automated security policies that restrict the ability of Editors to share files externally, prevent Viewers from downloading, printing, or copying documents. Insider threats are always a concern, and automated DLP rules provide a safeguard against intentional or accidental leaks. Applying stricter policies to high-risk areas helps ensure that only the right people have access to the most sensitive data.

Confidential folders or drives (e.g., Management Team, Legal shared drive):

• Restrict Editors from sharing files to prevent “chain reactions”

• Prevent Viewers from downloading, printing, or copying files.

• Consider stricter policies if needed:

  —> Remove sharing with personal accounts (or change all Editors to Viewers).

  —> Remove “Anyone with the link” sharing (or change Editors to Viewers).

Step 3: Implement data classification in Google Drive

Data classification is more than just a best practice — it’s a requirement under many data protection regulations. By automatically labeling sensitive files, you can ensure that DLP policies are properly enforced in Google Drive. This is crucial because manual classification can be time-consuming and prone to error.

Automating the labeling allows your organization to ensure that all sensitive documents are appropriately labeled as “Confidential,” and are subject to the necessary restrictions, such as limiting sharing with personal accounts or preventing unauthorized downloads. It is key to keeping your organization compliant while saving significant time and resources.

Files owned by the management team or stored in confidential locations (e.g., Management Team shared drive or Legal team shared drive):

• Automatically label as Confidential.

Files with sensitive keywords in the title (e.g., “CV”, “financial report”, “earnings”, “Confidential”, “Contract”, “NDA”):

• Automatically label as Restricted.

Step 4: Protect future files. Enforce security policies based on labels

Once data is labeled according to its sensitivity, it’s vital to apply appropriate security policies automatically. For files labeled as Confidential, DLP rules should enforce strict sharing settings, such as removing external sharing with personal accounts or preventing Viewers from downloading or printing.

Automating these policies ensures that files are consistently protected, even in the face of human error or negligence. Furthermore, this automation helps organizations stay compliant with data protection regulations, such as ISO 27001, NIS2, and GDPR, reducing the risk of fines or reputational damage.

For all files labeled as Confidential:

• Remove sharing with personal accounts.

• Remove "Anyone with the link" sharing

• Restrict domain sharing to "Must have a link to access".

• Prevent Viewers from downloading, printing, or copying files.

Incorporating automated DLP rules into your Google Workspace security strategy is not just a smart choice — it’s a necessary one. By automating key security measures, you can save time, minimize human error, and protect sensitive data from insider threats.

Implementing Just in Time access for inactive files, prioritizing high-risk areas, and using automated data classification all play critical roles in ensuring your organization’s data in Google Workspace is secure and compliant.

Start applying these best practices today in Florbs File Security for Google Drive to enhance your Google Drive security and streamline your data protection efforts.