Getting started with DLP

DLP Data Protection Insights reports

Get reports about your Drive files and Gmail messages with sensitive content

Supported editions for this feature: Frontline Starter, Frontline Standard, and Frontline Plus; Business Starter, Business Standard, and Business Plus; Enterprise Standard and Enterprise Plus; Enterprise Essentials and Enterprise Essentials Plus;Education Fundamentals, Education Standard, and Education Plus Compare your edition

DLP Data Protection Insights reports are available for Gmail and Google Drive in your Google Admin console. These reports include information about the sensitive content types in your organization, and list the Drive files and outgoing Gmail messages that contain sensitive content. Drive reports are updated quarterly and contain information about all Drive files. Gmail reports are updated daily and contain information about messages that were sent in the previous 30 days.

You can view reports and turn them on or off in your Google Admin console.

On this page

View Data Protection Insights reports 

Before you begin, make sure you have the right admin privileges to view reports.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

    Super admins can view reports and turn reports on or off. Admins with View DLP rule privileges can view reports only.

  2. Go to Menu and then Security > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. View the quarterly or daily report. Reports are read only and can’t be modified.

Turn Data Protection Insights reports off or on

Super admins can view reports and turn them on or off. Reports can be turned on and off separately for Drive and Gmail. Drive reports are default on. Gmail reports are default off except for Google Workspace Business editions, which are default on.

To turn reports off or on:

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Security > Access and data control > Data protection.

    Requires having the View DLP rule and Manage DLP rule administrator privileges.

  3. Under Data insights scanning and report setting, select On or Off for the reports you want to manage, Drive or Gmail.
  4. Click Save.

When you turn reports back on, Drive reports have data from the beginning of the next quarter and Gmail reports reset to day 1 of 30.

About Data Protection Insights reports

A set of common detectors is used to identify sensitive content and generate reports for Drive and Gmail. Admins get a custom quarterly (Drive) or daily (Gmail) report based on the data in their environments. There are 48 common detectors for Gmail and 50 for Drive, listed below in Common detectors used to create the Data protection insights report

Reports don't include details about every file or message in the reports. To get more details about files and messages in reports, we recommend you add DLP rules to help you get information about sensitive file and message sharing. 

Reports can contain false positives. While the detectors attempt to leverage the highest available likelihood threshold, there can be instances where detection may be limited based on the files in your applications.

Viewing reports

To view reports in your Google Admin console, you need a super administrator account or a delegated admin account with these admin privileges:

  • Organizational unit administrator privileges
  • Groups administrator privileges
  • View DLP rule and Manage DLP rule privileges. To create and edit rules, you must have both of these privileges. We recommend creating a custom role that has both. Admins with View DLP rule privileges only can view reports, but can’t turn reports off or on.

Learn more about administrator privileges and roles.

Drive reports

Drive reports are updated quarterly and include data for all files currently stored in Drive. 

DLP regularly and proactively scans all Drive files based on a set of default detectors for sensitive data. Reports are based on these scans. The contents of Drive files can change between scans. 

The following types of sharing are identified and included in Drive reports:

  • Sharing through an invite or email to a non-Google account
  • Sharing through a link that anyone on the web can open
  • Sharing to an individual’s Google account
  • Sharing to Google groups
  • Sharing from My Drive and shared drives
    • In My Drive, DLP detects the sharing of individual files and the sharing of the parent folder for those files.
    • In a shared drive, DLP detects the sharing of individual files individually and the sharing of the root folder on a shared drive.

Drive reports include:

  • Overall percentage of files containing sensitive content that are being shared externally
  • Top data types that are shared
  • Number of Drive files that contain sensitive content
  • Number of Drive files with sensitive content that are shared externally
  • Percentage of files with sensitive content that are shared externally for each data type

Gmail reports

Gmail reports are updated daily and include information about outgoing messages from the previous 30 days. 

For Gmail, DLP scans outgoing messages based on a set of default detectors. Daily reports are generated based on these scans, using predefined data types that identify 48 types of sensitive information. Gmail reports have this information for outgoing messages:

Gmail reports have this information for outgoing messages:

  • Top data types shared
  • Number of outgoing messages with sensitive content
  • Number of Gmail messages with sensitive content that are shared externally
  • Percentage of messages with sensitive content that are shared externally for each data type

Recommended actions based on reports

DLP recommends new rules based on report contents. For example, if the report lists passport numbers as a shared data type in your organization, DLP recommends a rule to prevent the sharing of passport numbers.

Drive admins can use Drive user sharing permissions to control file sharing. For details on controlling how users in your organization share Google Drive files and folders, go to Set Drive user’s sharing permissions. Drive admins can also Create DLP for Drive rules and custom content detectors.

Gmail admins can manage outgoing email messages by adding DLP rules that apply warn, quarantine, or block actions to outgoing messages with sensitive content. For details on how to add these, visit Prevent data leaks in email & attachments (Gmail DLP).

Report content detectors

These are 50 common detectors used to create reports. The Email address and Phone number detectors aren’t used for Gmail reports because these data types frequently appear in email footers, which can result in false positives in reports. 

For a complete list of detectors with descriptions, see How to use predefined content detectors.

Detector names

Region
  • Driver’s License Number
  • Employer Identification number (EIN)
  • National Provider Identifier (NPI)
  • Individual Taxpayer Identification Number (ITIN)
  • Passport
  • Social Security Number (SSN)
  • Committee on Uniform Security Identification Procedures (CUSIP)
  • Food and Drug Administration (FDA) Approved Prescription Drugs
  • American Bankers Association (ABA) Routing Number
  • Drug Enforcement Administration (DEA) Number

United States
  • Medicare Account Number
  • Tax File Number (TFN)

Australia
  • Cadastro de Pessoas Físicas (CPF) number

Brazil
  • British Columbia Personal Health Number (PHN)
  • Ontario Health Insurance Plan (OHIP)
  • Passport
  • Quebec Health Insurance Number (HIN)
  • Social Insurance Number (SIN)

Canada
  • Passport

China
  • Carte Nationale d’Identité Sécurisée (CNI) - national identity card
  • Numéro d'Inscription au Répertoire (NIR) - Social Security Number
  • Passport

France
  • Passport

Germany
  • Personal Permanent Account Number (PAN)

India
  • Driver’s License Number
  • Individual Number
  • Passport

Japan
  • Clave Única de Registro de Población (CURP) - national identification number 
  • Passport

Mexico
  • Burgerservicenummer (BSN) - national identification number
  • Passport

Netherlands
  • Número de Identificación Fiscal (NIF) Number
  • Número de Identificación de Extranjeros (NIE) Number
  • Driver’s License Number
  • Passport

Spain
  • Driver’s License Number
  • National Health Service (NHS) Number
  • National Insurance Number (NINO)
  • Taxpayer Identification Number - Unique Taxpayer Reference (UTR)
  • Passport

United Kingdom
  • Credit card number
  • Email address (Drive only)
  • Gender identity 
  • Bank account number (IBAN) - International Bank Account Number 
  • ICD 10-CM Lexicon
  • ICD 9-CM Lexicon
  • International Mobile Equipment Identity (IMEI) - hardware identifier
  • IP address
  • Phone number (Drive only)
  • Bank account number (SWIFT)

Global

Related information

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Main menu
17435547534037073522
true
Search Help Center
false
true
true
true
true
true
73010
false
false
false
false