6 Google Drive Data Loss Prevention Practices every CIO Must Know

6 Google Drive Data Loss Prevention Practices every CIO Must Know

See GAT Labs
in action

Table of Contents

How to set up Google Drive Data Loss Prevention (DLP) across your domain?

According to The Economist, ‘the world’s most valuable resource is no longer oil, but data’. So it makes sense that we’d want to protect our data assets from sly prying eyes, loss or damage 24/7.

Now when most of that data is stored in Google Drive, ensuring Google Drive Data Loss Prevention (DLP) is imperative.

But is there a secret ‘1+1=2’ equation to ensure Google Drive DLP? That’s what we’ll unravel together in the next 4 minutes!

DLP Incidents

6 Best Google Drive Data Loss Prevention Practices

To ensure Google Drive Data Loss Prevention you need to develop best practices for it, and stick to them.

So Grab a fresh post-it (or open a new Google Keep) and jot down the below DLP practices to revisit and maintain as you go.

1- Build a DLP friendly Drive Structure

It all starts with your organisation’s Drive structure, you need to ensure that it’s in order.

Start by finding which files lie in personal or ‘My Drives’ and need to be moved to ‘Shared Drives’ and vice versa. Then move those files to the right and ‘secure’ place on your Drive.

You may also need to decide whether it’s better to create a shared drive with a folder for each area or one shared drive for each area? — that should help make your future Drive Audit operations easier.

How to restructure Google Drive files in bulk?







2- Audit Drive File Ownership and Access Management

Who has Access/ Ownership rights to which files or folders? 

Now that you’ve got your Drive structure in order, let’s move on to file ownership and access management. This is perhaps the most important DLP practice you need to vigilantly observe. 

Without knowing who owns which files and who can access them you can’t protect your most valuable data from being lost or leaked.

More importantly, you must ensure law-protected data isn’t accessed by unauthorised parties.

To do that you need to continuously audit your company’s Google Drive to grant and revoke file ownership and access rights to the right users, especially when it comes to sensitive files.

One helpful way to do this is by creating nested groups to manage access to content and resources. This helps decrease duplication, simplify administration, and centralize Drive access management.

Locking Important Drive Docs?️

You may also consider ‘Locking’ your MOST sensitive Drive Docs — There are two ways to achieve that:

1. Encrypt Docs: Google doesn’t yet offer native individual password protection for Docs. But you can encrypt them on your PC and then upload them using Google’s Backup and Sync desktop program.

The downside to this approach is that you won’t be able to edit these files in Google Docs (or the cloud). You’ll need to download them on your PC first, decrypt them, then edit them using a desktop program.

2. GAT Unlock: GAT Unlock is a third-party tool that ensures access to Docs, or change of ownership of Docs, without the owner’s knowledge or permission, can only be accomplished with the input of at least two people in the organization. Read more.

This saves you the above hassle of encrypting Docs and allows you to keep working ‘in the cloud’, rather than rely on desktops.


3- Monitor Google Drive Activity

Your Google Drive activity is your first whisperer of DLP trouble or risk.

By monitoring Drive activity you can spot suspicious Behaviour Indicators  like unusual or unsafe Drive downloads, increased external or internal sharing, or deletions.

Such indicators help you understand and assess users’ history and Behaviour, and decide whether it should be allowed to continue or altered, as well as establish a DLP process change for your organisation when needed.

How to Monitor Google Drive Activity for DLP?

1.Visit and review the Data protection insights report and File Sharing Exposure report in your Admin console on a regular basis.

Note: As of March 2021, Google started providing recommended data loss prevention (DLP) rules personalized for your organization. These can help you up your DLP rules game by knowing where necessary adjustments or additional investigation is needed.

2.Alternatively, you can use GAT+ for deeper Google Drive DLP audits beyond the admin console, with one-click insights available at a glance.


4- Create a DLP policy for files shared out

Speaking of  ‘Google Drive Activity’, one important area you’ll want to dedicate additional efforts to is ‘files shared outside your corporation’.

These files are perhaps the biggest DLP hazard and you need full insight into their content.

A powerful Google Drive Data Loss Prevention policy here should not only give you control over what users share with external parties, but  also prevents the unintended exposure of sensitive information such as company card details and social security numbers (SSN). 

**Set up Google Drive DLP Alerts, including Regex Alert Rules, for files shared outside your organisation using GAT+, Learn more**


5- Lock out Leavers

They say ‘Watch out for angry leavers’! — We say ‘Watch out for ALL leavers’.

One of the most important DLP practices you’ll want to adopt is deploying a bullet-proof DLP process for off boarding leavers, and here’s why:

Suspended accounts of leavers can result in loss of important data. This is a common DLP scenario. Also, wrongfully suspended accounts can typically cause approximately 70% of data availability issues.

You also need to ensure that leavers can no longer access important corporate Drive resources once they leave. Otherwise, it can bring in significant DLP hazards, especially if they choose to use it in malicious ways.

Make sure to check out our post: Safely Offboard Google Workspace Users Leaving your Company (in 5 Steps).


6- Configure Google Drive DLP Alerts

Make sure you have a way of getting notified of risky DLP behaviour!

This ensures 24/7 Drive protection, without having to manually run audit scans every hour of the day.

How to set up Google Drive DLP Alerts?

There are TWO ways to do so:

1. For Enterprise; Enterprise for Education editions, you can Scan and protect Drive files using DLP rules, covering Google Sheets, Docs and Slides.

2. GAT+: Set up real-time Google Drive DLP actionable alerts for files with specific content shared outside your domain.

 Getting these DLP alerts in real-time and defining the actions you’d like to be taken for each helps you act faster and handle accidental data mishaps better.


Want to take your Google Drive management skills to the next level? Check out our Admin’s Google Drive Management Playbook. 


Stay in the loop

Sign up to our newsletter to get notified whenever a freshly baked blog post is out of our content oven.

Related Posts


Google Workspace Admins’ Most Liked Blog Posts in 2022

Google Workspace Admin, are you a lifelong learning fan?  If so, you are in good hands. Instead of looking for learning opportunities blindly somewhere, take …

Read More

New Year Gmail Clean-Up for Google Admins

It’s a moment of truth, Google Workspace Admin – did your domain users finish 2022 with a mess in their Gmail? If you said “yes”, …

Read More

Christmas Phishing Emails you Need to Watch out for

Every year online hackers improve their methods of tricking to use them during the festive season. Christmas phishing emails are one of the gifts no …

Read More

True or False? 4 Questions for Google Workspace Admin

Google Workspace Admin may have and receive a lot of questions about this tool and we totally understand that – it’s a complex package of …

Read More