Every business owner has a moment of doubt when they share a sensitive file. What happens to that customer list, tax file number, or contract once it lands in someone else’s inbox? Google Drive has two enterprise features designed for exactly that anxiety - and most small businesses are not using them.
Need This Fixed Right Now?
Trusted by 10,000+ small businesses across 50+ countries. We harden Google Workspace tenants every day.
Fix My Issue Now: Worried about a data leak or compromised file share? Get rapid, fixed-price support. Most problems resolved same-day. Get Quick Fix
Audit My Workspace Security: Not sure where you stand? Our team reviews your full Workspace security posture - including DLP, IRM, Shared Drive permissions, MFA, and admin policies - and delivers a clear remediation roadmap. Comprehensive Audit
What Are IRM and DLP in Google Drive? (Quick Answers)
Q: What is DLP in Google Workspace?
A: DLP (Data Loss Prevention) is an admin-side feature that watches for sensitive data leaving your business - credit card numbers, tax file numbers, dates of birth, customer IDs - and automatically blocks, quarantines, or flags the action. You set rules once in the Admin console, and they apply across Drive, Gmail, and Chat.
Q: What is IRM (Information Rights Management) in Google Drive?
A: IRM is the file-level lockdown layer that lets you control what a viewer can do with a document after you share it. Disable downloads, copying, printing, and exporting on a single file or across an entire Shared Drive, so the data stays inside Google’s permission system instead of bouncing around someone’s hard drive.
Q: How do I set up DLP and IRM for my small business?
A: Open the Google Admin console, go to Security → Data protection to build a DLP rule (start with credit cards and personal IDs). Then in Drive → Shared Drive settings, enable the IRM controls at the drive level - blanket “no download, no copy, no print” rules are easier to manage than per-file permissions. Most small businesses can have both running in under an hour.
What DLP Does: Catching Sensitive Data Before It Leaves
Data Loss Prevention is Google’s automated scanner for the kinds of information your business is legally responsible for protecting. You configure it once in the Workspace Admin console under Security → Data protection, and it watches every file save, every email, every chat for patterns that match the data types you care about.
The classic examples are payment card numbers (which trigger PCI-DSS rules), tax file numbers (Australian privacy obligations), passport numbers, dates of birth, and any custom regex you want to define. If someone on your team pastes a credit card into a Chat message or saves a spreadsheet of customer SSNs into Drive, DLP can quarantine the action, alert an administrator, and prevent the data from being shared externally.
For a small business, the practical setup looks like:
- Identify the two or three data types you genuinely handle (most businesses overestimate the list)
- Build a DLP rule per data type with action set to “warn and log” first - run it for a week to see what triggers
- Promote the highest-confidence rules to “block” or “quarantine” once you’re confident the false-positive rate is low
This is more affordable than most owners assume - DLP is included in Google Workspace Business Plus and Enterprise editions.
What IRM Does: Locking Down Who Can Copy, Print, or Download
DLP catches sensitive data before it moves. IRM controls what happens to a file once you have intentionally shared it with someone. The two features stack - DLP is the perimeter scanner, IRM is the in-document lock.
The four controls IRM gives you on any Drive file:
- Disable download - The recipient can view in the browser but not save a local copy
- Disable copy - No “Make a copy” option, no copy-paste of large chunks into another doc
- Disable print - No print dialog, no PDF export
- Disable export - No “Download as .docx” or “Download as .pdf”
These settings live on the file itself, so they travel with it regardless of who shares it onward. If a recipient tries to forward a locked file to a personal Gmail account, the personal account inherits the same restrictions.
The catch: setting these per-file is fine for one-off sensitive shares, but it does not scale. Your team will forget. The better pattern is enforcing IRM at the Shared Drive level so every file inherits the policy by default.
The Smart Way: Set IRM and DLP at the Shared Drive Level
This is the thing the video walks through in detail, and it is where most small businesses get the most value. Instead of trying to remember to lock down individual files, you set a blanket policy on a Shared Drive and every file dropped into that drive inherits it automatically.
The workflow:
- Create a Shared Drive named for the data domain (“Customer Records”, “Financial Data”, “Legal & Contracts” - whatever fits your business)
- In the Shared Drive settings, set the access level to “Manager” or “Content manager” for the people who need full control
- Toggle the IRM controls at the drive level - typically “disable download, copy, print for non-managers”
- Add the rest of your team as “Commenter” or “Viewer” - they can see and contribute, but the IRM rules prevent data exfiltration
- Train your team to put any sensitive document into the appropriate Shared Drive, never into their personal “My Drive”
This pattern also fixes the bigger problem: when a staff member leaves, their My Drive content disappears with them or becomes a recovery headache. Shared Drives stay with the business. The IRM controls stay with the drive. Continuity and security both improve.
Compliance: Why Auditors Care About This
If your business handles personally identifiable information, payment data, health records, or anything covered by GDPR, the Australian Privacy Act, HIPAA, or similar legislation, your auditor will ask how you prevent unauthorised access and copying of regulated data.
“We trust our team not to copy it” is not an acceptable answer. DLP and IRM give you the technical control that maps directly to the question. You can show:
- Which data types are classified as sensitive in your DLP rules
- Which Shared Drives have IRM controls enforced
- An audit log of every DLP trigger event over the last 90 days
- Per-file activity history showing every view, edit, and access attempt
For small businesses pursuing SOC 2, ISO 27001, IRAP, or a sector-specific compliance posture, this combination is often the cheapest path to demonstrating data-handling controls. The infrastructure is already in your Workspace subscription; you just have to turn it on and document the policy.
Key Takeaways
- DLP scans for sensitive data (payment cards, tax IDs, personal info) leaving your business and can block, quarantine, or alert based on the action
- IRM locks down what a recipient can do with a shared file - no downloads, no copies, no prints, no exports
- The two features stack: DLP is the perimeter scanner, IRM is the in-document lock
- Set IRM at the Shared Drive level so every file inherits the policy automatically - per-file management does not scale
- This is often the cheapest path to demonstrating data-handling controls for SOC 2, ISO 27001, GDPR, or sector compliance audits
Need This Fixed Right Now?
Trusted by 10,000+ small businesses across 50+ countries. We harden Google Workspace tenants every day.
Fix My Issue Now: Worried about a data leak or compromised file share? Get rapid, fixed-price support. Most problems resolved same-day. Get Quick Fix
Stop This From Happening Again: Cloud Concierge members get proactive monitoring, security reviews, and unlimited support so you are never stuck again. Start My Membership
Full Video Transcript
Hey, want to find out how to enhance Google Drive security with IRM and DLP? Let’s get into it. So Google has released some new things or there’s some old things in here that they’ve added new things to. Workspace has a feature that’s called DLP - data loss prevention - and what it lets you do is set policies and rules that govern the storage and transit of certain types of data, and you can perform actions with that data. For example that data might be personal information, it might be a credit card number, it might be a date of birth, it might be a tax file number. If you’re a business that’s working with any of those kinds of data, you may have some kind of legislation or auditing or compliance requirements to ensure that data is handled properly and it does not accidentally disappear out of your business.
DLP allows you to set a policy inside your Workspace admin and say “Hey, if someone puts a credit card number in plain text in an email, quarantine that email. If someone puts someone’s tax file number in chat, quarantine that chat. Don’t send it.” It will flag things for admins and stop that data being saved in plain text, which protects your business and protects your customers as well.
IRM is the related feature - it allows you to restrict what someone can do with a file once you have shared the file with them. If you have ever shared a file with someone, there’s a thought in the background of your mind: what is this person going to do with my file? You’re not sitting over their shoulder watching them in an office. They could copy the file, print the file, rip off your business, disappear. So it’s important that you protect files when you share them. If you have a Google Shared Drive set up, you can set these policies and say “Hey, who can download, copy, or print files?”
I thought this was available on an individual file level for quite some time, but what this lets you do using Information Rights Management - one of the enterprise features related to DLP - is restrict things for files with certain types of data in them. Let me help you get your head around that. From the top: use DLP rules (data loss prevention) to control what happens with certain kinds of data in your business. IRM for Drive lets you set a policy that then restricts access to what people can do with a file if it has that kind of sensitive data in it.
Good idea? Yes. Great idea. But here’s the context I wanted to share with you. If you have set up Drive correctly - inside your Google Drive you should be using Shared Drives, and we have 10,000 videos on the channel on how to set up and configure Shared Drives - inside a Shared Drive settings you can do the same thing here and basically manage the options for the whole drive and for anyone who has access to that drive.
I prefer this. Look, it does not hurt to set a policy for every one of the files in your business, but I prefer setting it at a drive level and then making sure your staff put every one of their files into Shared Drives. That does not mean it’s necessarily shared with people all over the world - it’s in a particular drive with a particular set of permissions. What this does is mean blanket settings apply right across the drive, doesn’t matter what’s in there, you’ll be able to control these features: downloading, copying, printing. Two ways to do that. Not a bad new feature that Google has released there.
If you liked this video, we have plenty more on the channel covering this topic and much, much more.
