What’s changing
In addition to Google Drive, we’re expanding data classification labels to now include Gmail. Classification labels are used to classify and audit content according to organizational guidelines (“Sensitive”, “Confidential”, etc.) and apply policies, such as data loss prevention (DLP) rules, to protect sensitive information in email messages. Classification labels will be available when using Gmail on the web – support for Gmail on mobile devices will be introduced in the coming months.
Who’s impacted
Admins and end users
Why it’s important
Data breaches are increasingly common and costly across all sectors, including enterprises, public sectors, and government institutions. To minimize data exfiltration and better understand the data being shared, organizations need to differentiate between various types of information and their sensitivity levels to apply data protection policies accordingly. By expanding data classification labels to Gmail, Google Workspace provides admins with a more flexible and robust system integrated with data protection capabilities to help organizations effectively categorize and protect sensitive information.
Specifically, admins can create:
- New classification labels or extend existing ones enabled in Drive labels for Gmail from the Label Manager. Labels can be used to denote department names, document types, document status, and other custom categories.
- Data protection rules with classification label as a condition, to apply actions to a message based on its classification. For example, a message will be blocked if it’s classified as ‘Internal’ and is being sent to an external recipient.
- Data protection rules to automatically apply classification labels to a message, based on its content. For example, a ‘Confidential’ label can be applied to a message if it contains sensitive financial information, such as credit card or bank account numbers.
- DLP rules with Confidential Mode as a condition to prevent sending messages with sensitive information, if it is not encrypted (Confidential Mode is not enabled)
- End users can view and apply Classification Labels when using Gmail on the web.
Additional details
- When Data loss prevention (DLP) rules for Gmail using classification labels either as a condition or as an action, messages are scanned asynchronously. This means that the message is classified, blocked or quarantined after it leaves the sender’s mailbox) and before being dispatched to the recipient. In a future release, we plan to provide synchronous support with instant notifications consistent with our synchronous support of instant DLP enforcement for Gmail.
Note that:
- If the message is blocked as a result of the classification label applied to it, the sender will get a bounce back message.
- If the message is automatically labeled by a DLP rule, the sender will not see the label reflected in the sent message. The recipient will see the automatically applied label the same way as any other classification label applied manually by the sender.
- Only Badged options list and Multiple Options list (Single select) field types are supported in Gmail. If classification labels are enabled for usage in both Gmail and Drive, and it contains fields that are not supported in Gmail, such as date or persona, Gmail users will see the label only with fields of the supported types.
Getting started
- Admins:
- Gmail classification labels can be enabled at the domain, group level, or individual user level. You also have the option to enable existing classification labels used in Drive for use in Gmail. The Label Manager tool can be accessed by going to Security > Access and data control or admin.google.com/ac/dc/labels in the Admin console.
- Visit the Help Center to learn more about getting started with classification labels, Gmail DLP & automatic classification labels, and preventing data leaks in email and attachments.
- Note: Labels can be viewed by any admin in your organization with the Manage Labels privilege. They can also be visible to everyone in your organization based on the label’s permissions settings.
- End users: If configured by your admin, you’ll see the “Classification” option when composing a new messaging or replying to an existing message — when you open the menu, you can select labels relevant to your message. We’ll share the end user Help Center article on Monday, November 3, 2024.
Rollout pace
- Rapid Release and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on November 1, 2024
Availability
- The Label Manager and manual classification is available to Google Workspace:
- Frontline Starter and Standard
- Business Standard and Plus
- Enterprise Standard and Plus
- Education Standard and Education Plus
- Essentials, Enterprise Essentials, and Enterprise Essentials Plus
- Data loss prevention rules with labels as a condition or labels as an action are available to:
- Enterprise Standard and Plus
- Education Fundamentals, Standard, Plus, and the Teaching & Learning Upgrade
- Frontline Standard
- Cloud Identity Premium (in combination with a Workspace Edition eligible for Gmail)