In plain English
DLP policies automatically monitor how sensitive data — credit card numbers, tax file numbers, health records — is being used. They can block emails containing this data from being sent externally, warn users before they share a confidential file, or generate alerts when data appears in unexpected locations.
Full definition
DLP works by scanning data in motion and at rest against a set of rules you define. Those rules can be as specific as blocking any email that contains a string matching Australian tax file number format, or as broad as flagging any file labelled "Confidential" that gets attached to a message going to a personal Gmail address. DLP applies these policies across , , Teams, and endpoint devices, so the same rule covers email, file sharing, and what employees copy to USB drives.
The practical consequence of not having DLP in place shows up quickly. A payroll spreadsheet forwarded to the wrong distribution list. A sales rep emailing a customer database to their personal account before resigning. A contractor posting a document to the wrong SharePoint channel. None of those require malicious intent; they just require someone to click the wrong button. DLP intercepts those actions before they become a breach notification under the .
What good DLP policy design looks like
Policies can block, warn, or log depending on severity. A block stops the action outright. A warning lets the user override if they have a business reason, but records the decision. Logging does nothing visible to the user but captures the event for audit. Most organisations start with warn-and-log for a period to understand what their data actually does before turning on hard blocks.
- Classify data before writing policies. Purview give DLP rules something concrete to act on.
- Start in audit mode to see what would have been blocked, without disrupting legitimate workflows.
- Apply stricter rules to high-risk scenarios: external recipients, personal email domains, USB transfers.
- Review policy match reports monthly. False positives erode user trust and get bypassed.
