Data loss prevention overview
To comply with business standards and industry regulations, it's critical that your organization protects sensitive information to prevent its inadvertent disclosure. Sensitive information can include financial data, health records, credit card numbers, social security numbers, and employee evaluations. Use data loss prevention (DLP) policies to identify, monitor, and automatically protect sensitive information across Microsoft 365. Microsoft Purview Data Loss Prevention helps prevent users from accidentally, rather than intentionally sharing sensitive content. (If a user is determined enough to send sensitive data outside the organization, they'll find another way to do so.)
DLP policies can:
- Identify sensitive information across many locations:
- Exchange Online
- SharePoint Online
- OneDrive for Business
- Microsoft Teams
- Endpoint Devices (Windows 10, Windows 11, and macOS)
- Microsoft Defender for Cloud Apps
- On-premises repositories
- Power BI (preview)
- Educate users on staying compliant without interrupting their workflow.
- Produce DLP alerts and reports showing content that matches your organization's DLP policies.
Each DLP policy contains these elements:
Where to protect the content: Content is protected in locations like SharePoint Online, Exchange Online, OneDrive for Business accounts, Microsoft Teams chat and channel messages, Endpoint devices, Microsoft Defender for Cloud Apps, on-premises repositories, and Power BI (preview).
When and how to protect the content: When and how to protect the content is defined by enforcing rules. A policy contains one or more rules, and each rule consists of conditions and actions at a minimum. For each rule, when the conditions are met, the actions are taken automatically.
- Conditions: Circumstances under which a rule is enforced. For example, a condition might be configured to look only for content containing credit card information that has been shared with people outside the organization. But conditions can be more sophisticated, as well.
- Actions: Define what happens when content matching the conditions is identified. An action could be to block access to a document and send the user and Compliance Manager an email notification. The complexity of the actions you specify is based on your business requirements.
You don't want a new DLP policy to unintentionally block access to thousands of documents that users are required to access. DLP policies should be rolled out gradually to assess their impact and test their effectiveness. Here's a three-step process implementing DLP policies to minimize the risk of unintended consequences:
- Start in test mode without policy tips. Use the DLP reports and incident reports to assess the impact of the policy. You can use DLP reports to view the number, location, type, and severity of policy matches. Based on the results, you can fine-tune the rules as needed. Configuring a DLP policy in this way won't affect user productivity. In addition, configuring the policies to be scoped to a subset of users, devices, instances, and/or repositories (that are aware of the upcoming changes) will aid in narrowing the reach from the start.
- Move to test mode with notifications and policy tips. Adding notifications and policy tips gives you the opportunity to educate users about your compliance policies and prepare them for the rules that are going to be applied. At this stage, you can also ask users to report false positives so that you can refine the rules.
- Start full enforcement. Expand the scope to include or exclude who/what you want included in the policy to a broader reach. The actions in the rules are applied and the content is protected once full enforcement is in place. Continue to monitor the DLP reports and any incident reports or notifications to make sure that the results are what you intend.
Note
For more information about the licensing requirements for this solution, see the Microsoft 365 licensing guidance for security and compliance, linked in the Learn more section.