This page describes the data risk and sensitivity levels that Cloud Data Loss Prevention (DLP) assigns to data profiles. To understand the data risk levels, it's important to understand the sensitivity levels first.
Sensitivity level is an indication of how sensitive the data in a project, table, or column is. Data is sensitive if it contains detected elements, such as personally identifiable information (PII), financial data, and credentials.
A data profile can have any of the following sensitivity levels:
- Highly sensitive personal information might be present, including credit card numbers and certain national identifiers.
- Sensitive information that is not classified as highly sensitive might be present. Examples are email addresses, phone numbers, and custom infoTypes, which can be considered personally identifiable. The data might also include freeform text or unstructured data, such as comments.
- Sensitive information was not detected.
Data risk level
Data risk level is the risk associated with the data in its current state. It considers the sensitivity level of the data in the resource and the presence of access controls to protect that data.
- High-sensitivity data might be present, and there are no column-level access controls to restrict data exposure. Alternatively, moderate or high-sensitivity data is accessible to a wide number of people.
- Moderate-sensitivity data might be present, and there are no column-level access controls to restrict data exposure.
- The sensitivity level of the data is low. Alternatively, access to the data has been further restricted, for example, through column-level access controls.
To calculate sensitivity, Cloud DLP considers the following:
- The likelihood that highly sensitive infoTypes are present.
- Whether the data has an unstructured format and contains mostly freeform text, like comments.
- Whether a table column contains mostly unique values.
- The number of rows in a table.
- The number of null values.
Data risk calculation
To calculate data risk, Cloud DLP considers the following:
- The calculated sensitivity level of the data.
- The presence of access controls that limit access to the data.