Friday, November 1, 2024

Data classifications labels for Gmail are now available in open beta

What’s changing

In addition to Google Drive, we’re expanding data classification labels to now include Gmail. Classification labels are used to classify and audit content according to organizational guidelines (“Sensitive”, “Confidential”, etc.) and apply policies, such as data loss prevention (DLP) rules, to protect sensitive information in email messages. Classification labels will be available when using Gmail on the web – support for Gmail on mobile devices will be introduced in the coming months.

Who’s impacted

Admins and end users

Why it’s important

Data breaches are increasingly common and costly across all sectors, including enterprises, public sectors, and government institutions. To minimize data exfiltration and better understand the data being shared, organizations need to differentiate between various types of information and their sensitivity levels to apply data protection policies accordingly. By expanding data classification labels to Gmail, Google Workspace provides admins with a more flexible and robust system integrated with data protection capabilities to help organizations effectively categorize and protect sensitive information. 

Specifically, admins can create:

  • New classification labels or extend existing ones enabled in Drive labels for Gmail from the Label Manager. Labels can be used to  denote department names, document types, document status, and other custom categories. 

The Label Manager tool can be accessed in the Admin console  by going to Security > Access and data control


  • Data protection rules with classification label as a condition, to apply actions to a message based on its classification. For example, a message will be blocked if it’s classified as ‘Internal’ and is being sent to an external recipient.
Notification about delivery failure due to DLP policy, blocking messages labeled as ‘Confidential’ to be sent to recipients outside of the organization




  • Data protection rules to automatically apply classification labels to a message, based on its content. For example, a ‘Confidential’ label can be applied to a message if it contains sensitive financial information, such as credit card or bank account numbers.
Data protection rule with ‘Apply a label’ action. Classification label specified in the rule will be applied to a message, if message contains information matching conditions of the rule

  • DLP rules with Confidential Mode as a condition to prevent sending messages with sensitive information, if it is not encrypted (Confidential Mode is not enabled)
Data protection rule is set up to detect messages with sensitive information (credit card or passport numbers) and confidential mode disabled in order to enforce sending such info with enhanced protection measures





  • End users can view and apply Classification Labels when using Gmail on the web.
Users can apply classification labels to a message, according to the organization’s data governance policies



Additional details

  • When Data loss prevention (DLP) rules for Gmail using classification labels either as a condition or as an action, messages are scanned asynchronously. This means that the message is classified, blocked or quarantined after it leaves the sender's mailbox) and before being dispatched to the recipient. In a future release, we plan to provide synchronous support with instant notifications consistent with our synchronous support of instant DLP enforcement for Gmail.

Note that:
    • If the message is blocked as a result of the classification label applied to it, the sender will get a bounce back message.
    • If the message is automatically labeled by a DLP rule, the sender will not see the label reflected in the sent message. The recipient will see the automatically applied label the same way as any other classification label applied manually by the sender.

  • Only Badged options list and Multiple Options list (Single select) field types are supported in Gmail. If classification labels are enabled for usage in both Gmail and Drive, and it contains fields that are not supported in Gmail, such as date or persona, Gmail users will see the label only with fields of the supported types.

Getting started

  • Admins: 
  • End users: If configured by your admin, you’ll see the “Classification” option when composing a new messaging or replying to an existing message — when you open the menu, you can select labels relevant to your message. Visit the Help Center to learn more about adding classification labels in Gmail.

Rollout pace


Availability

  • The Label Manager and manual classification is available to Google Workspace:
    • Frontline Starter and Standard
    • Business Standard and Plus
    • Enterprise Standard and Plus
    • Education Standard and Education Plus
    • Essentials, Enterprise Essentials, and Enterprise Essentials Plus

  • Data loss prevention rules with labels as a condition or labels as an action are available to:
    • Enterprise Standard and Plus
    • Education Fundamentals, Standard, Plus, and the Teaching & Learning Upgrade
    • Frontline Standard
    • Cloud Identity Premium (in combination with a Workspace Edition eligible for Gmail)

Resources