Data Loss Prevention (DLP) is a feature available in SharePoint, which helps you to protect your data while it is stored or shared. DLP had been in existence in Microsoft Exchange but has been brought to SharePoint Online as users are storing sensitive data and sharing it, using SharePoint Online. Outlook implements DLP, using "Policies and Rules", so that whenever we are drafting a mail and it contains the sensitive information, like Credit Card Number or SSN, or any other similar information, we get a notification regarding the same.

DLP uses similar rules and policies to implement DLP in SP Online. By setting up the required policies, we can prevent sensitive information from being shared. If an attempt to share a document with the sensitive information is made, we get the alert  given below as mail as well as an icon is placed against the document, which indicates it is blocked for being used only by the owner, last modifier and the site owner. Once the sensitive information is removed from the document, the block is released.



In this article, we will see how to set up the Data Loss Prevention policy to secure credit card information, using rules and policies in SharePoint Online.

Set up DLP Policy

Let’s head over to the SharePoint Admin Center and select "Security and Compliance".



From Threat management, select ‘Data Loss Prevention’ option.



Click on the Plus icon to add a new DLP policy.



This will open up a Window, where we can select the type of information that we would like to protect. We can either select already available templates or we can select Custom option to build a custom policy.



Now, we have to select the Services that we would like to protect. Let’s select SharePoint Online and OneDrive.



Setup Rules for the DLP Policy

As a part of creating the policy, we have to assign the specific rules that will catch the sensitive information while in transit. Click Plus icon to configure the rule.



Click Add Condition to add the conditions that will form the satisfying condition for DLP rule.



Let’s select “Content contains sensitive information” as the main condition that triggers the policy.



We can select multiple sensitive information types. We will go ahead with the credit card number as the primary sensitive information, which we would like to protect.





Now, we have to specify what action should be taken when the specific rule is met. Click Add actions to trigger the resulting action.



Let’s select Block the content as the first action.



Once it is blocked, we will have to send a notification regarding the block of sensitive information data to the end user. In order to do this, select Send a notification option as well.



Thus, we have set up the actions given below by which the content will be blocked and the notification will be sent to the end-user regarding the same.



We will save the rule by giving it a name. Click OK.



If we want to add more rules, we can click Plus icon, else click Next.



Now, let’s give the DLP policy; a name and click Create. This will complete the creation of the DLP policy.



Thus, we have completed the creation of DLP rule and the policy.



Test the DLP Policy

We can now test DLP policy, which we have created. I have uploaded the few documents, which contains sensitive information – credit card number. On sharing the document, the DLP policy should be triggered, which will block the content and send a notification mail to the end-user. To test DLP, let’s share one of the documents that contains the sensitive information.



It has been shared with a SharePoint user account.



In few minutes time, we get a mail notification, which states that DLP rule has been matched and it has to be rectified.



Until the sensitive information has been removed from the user, the document access will be restricted to its owner, last modifier and the site owner.



If we go to the Library, we can see that a blocked icon has come up against each of the documents that matches DLP rule.



Summary

Thus, we have seen how to create a Data Loss Prevention rule and policy in SharePoint Online to prevent the sensitive information from being shared among the users.