Privacy Risk Management policies
Privacy Risk Management policies can help you address risk scenarios that are important to your organization. Our policy templates are centered on fostering sound data handling practices. Alerts let admins know when policy matches are detected and might need further investigation. Email notifications and tips in Microsoft Teams help users understand which activities carry privacy risks, allows users to immediately fix issues, and points them to privacy training.
For a quick start, use a template with default settings to create new policies for data overexposure, data transfers, and data minimization and scenarios. You can also customize template settings to create policies that suit your organization's needs.
This article explains the general settings that apply to all policies. To view specific instructions for each policy type, visit the following pages:
Policy template types
Privacy Risk Management has three policy templates designed to help you address key areas of concern around protecting personal data. Each template has default settings that you can accept in the quick setup process, or customize using a guided process. When you create a new policy, your first task will be to choose one of the three templates listed below:
Data overexposure: This policy identifies content items containing personal data that may be too broadly accessible by other people. When matches are found, you can set up notifications prompting content owners to quickly apply protection.
Data transfers: This policy can detect personal data transfers across boundaries that you determine, which could involve transfers outside of your organization, or internal transfers across departments or geographic regions. When matches are found, you can set up notifications encouraging senders to revoke access to the content.
Data minimization: This policy identifies content items containing personal data that have been untouched for long periods of time. When matches are found, you can send notifications to content owners prompting them to take quick action to keep or delete the item.
Quick setup: using a template with default settings
When you create a policy directly from a template, most settings are chosen for you automatically to help you get up and running quickly. Follow these steps to create a policy with default settings using one of our templates:
In the Microsoft Purview compliance portal, find Priva Privacy Risk Management in the left navigation and select Policies.
Select Create a policy at the upper right corner of the screen, which displays a flyout pane listing all policy creation options.
Find the type of policy you want to create and in its card, select Create.
A flyout pane contains policy details. Selecting View settings will show the default settings. You can edit settings from here, which takes you into the guided process outlined below. To continue creating your policy using the default settings, enter a descriptive name, then select Create policy.
Your policy will be created and you'll find it listed on your Policies page.
The policy will start running in test mode, meaning no alerts or notifications will be generated, and you can monitor its performance. When you're ready to turn on your policy, select your policy and edit it to turn in on.
Custom setup: guided process to choose all settings
The custom policy option is a guided process for creating a policy. You'll start by choosing a template, and then walk through each setting to customize your policy. The instructions below give details about basic settings that apply to each of the three policy types. Where the settings differ by policy type, we'll link to specific instructions.
Follow the steps below to create a policy:
In the Microsoft Purview compliance portal, locate Priva Privacy Risk Management in the left navigation. From the drop-down menu, select Policies.
Select Create a policy.
Choose the Custom option to create your policy using the policy creation wizard in Privacy Risk Management.
Choose the type of policy: Data overexposure, Data transfers, or Data minimization.
Give your policy a descriptive name to help you identify it in your list of policies. Provide an optional description, then select Next.
The next steps allow you to define all policy settings. Jump to a setting listed below for more details:
- Data to monitor: Select the type of personal data your policy will monitor.
- Users and groups: Apply your policy to all users or selected users.
- Locations: Apply your policy to selected areas in Microsoft 365.
- Conditions: Set the conditions for your policy. These options vary depending on your policy type.
- Outcomes: Define the outcomes when a policy match is found, such as user email notifications.
- Alerts: Decide the frequency of alerts to admins when a policy match is found.
- Mode: Choose whether test your policy before turning it on.
When all settings are complete, review your choices, make any desired edits, and then select Submit to create the policy.
After a few seconds, you'll see a confirmation that the policy was created. Select Done on the confirmation page, which will take you to the Policies page where you'll see the new policy at the top of the table.
The sections immediately below provide further details about each policy setting.
Choose data to monitor
When creating or editing a policy, we'll ask you to select which types of data the policy should monitor. There are two options:
Classification groups: A searchable list of groupings of sensitive information types; for example, a group based on the Australia Health Records Act, or a group based on US personal data such as a US passport number.
Individual sensitive information types or trainable classifiers: You choose whether to select from among a searchable list of sensitive information types (for example, Social Security numbers or driver's license numbers), or select from among trainable classifiers.
If you select from the existing classification groups, you can't also select individual types or create your own groups. For the most flexibility, choose individual sensitive info types or trainable classifiers. To utilize the most common standards, choose from the classification groups. Learn more about each data type below.
Classification groups are groupings of sensitive information types that are used to detect content related to personal data or specific regulations.
When you select the Classification groups option on the Data to monitor page, select Add classification groups. The Choose classification groups flyout pane appears. From here, you can search for a classification group in the search box. Or you can choose one or more classification groups from the list. After checking the box next to the groups you want, select Add. The flyout pane closes and the groups you chose are listed on the page.
On each classification group's row in the list, select View to display the sensitive information types included in that group. To remove a group from the list, select the trash can icon in its row.
Sensitive information types
By choosing specific sensitive information types, like Social Security numbers or driver’s license information, you can customize your own group or groups of data to look out for. You can select from the complete list of sensitive information types within Privacy Risk Management. Each information type has its own properties.
When you select the Sensitive information types or trainable classifiers option on the Data to monitor page, a selector appears with Default listed as a name for the group of sensitive info types you'll select. Keep or edit this group name.
Then select Add, then choose Sensitive info types. The Sensitive info types flyout pane appears. From here, you can search for a sensitive info type in the search box. Or you can choose one or more sensitive info types from the list. After checking the box next to the sensitive info types you want, select Add. The flyout pane closes and you see your selections listed on the page.
Each sensitive info type has its own properties and recommended settings, which you can discover by selecting the info icon to the right of the confidence drop-down menu after you've added the info type. You can also change the instance count for each sensitive info type. This setting designates the number of unique instances of each sensitive info type you want your policy to detect.
If you create more than one group, the selector lets you choose how the groups should relate (an "and" or "or" relation) and define their order of operations.
Trainable classifiers employ machine learning to automatically classify and identify categories of sensitive content. Learn more about trainable classifiers in Microsoft Purview.
When you select the Sensitive information types or trainable classifiers option on the Data to monitor page, a selector appears on the page with Default listed as a name for the group of trainable classifiers you'll select. Keep or edit this group name.
Then select Add, then choose Trainable classifiers. The Trainable classifiers flyout pane appears. From here, you can search for a trainable classifier by name in the search box. Or you can choose one or more classifiers from the list. If your organization has created its own custom trainable classifiers, those classifiers are available to select. After checking the box next to the classifiers you want, select Add. The flyout pane closes and you see the classifier name listed on the page. You can continue adding more classifiers.
A group can contain both sensitive information types and trainable classifiers.
When a trainable classifier is detected by a Privacy Risk Management policy, the match is considered one match because the detection is on a per-item basis. In contrast, each instance of a sensitive info type within an item is considered a match (learn more about how personal data is discovered and visualized in Priva).
For example, one item might be detected by a trainable classifier as a bank statement. Within that item, there might be five instances of a sensitive info type. In total, that item would account for six matches by the policy: one match representing the trainable classifier, and five matches representing the sensitive info type instances.
There is a limitation to the alert threshold that can be chosen when monitoring by trainable classifiers. Get details below at Alert frequency and thresholds.
Choose users and groups
You have two options for deciding which users a policy will cover: all users and groups, or specific users and groups.
All users and groups: This option will apply the policy to all users and Office 365 Groups in your organization.
Specific users or groups: This option allows you to select individual users, individual Office 365 Groups, or a mix of both.
- To choose users: Select Choose users and on the flyout pane, search for a user by entering an email address in the search box. Or find the user from the list and select the checkbox to the left of their name. You can select up to 100 users. When done, select Add.
- To choose groups: Select Choose groups and on the flyout pane, select the checkbox to the left of each group name. You can select up to ten groups. When done, select Add.
After designating users and groups, select Next to advance to the next step.
In this step, you'll designate where in your Microsoft 365 environment you want the policy to look for personal data matches. The location options will depend on the policy type, and you can select more than one. Each of the locations is explained below.
Exchange: The policy will identify matches in users' Exchange accounts, which include content in the body of emails and in attachments sent or received by Exchange mailboxes.
OneDrive: The policy will identify matches in files stored in users' OneDrive for Business account.
Teams: The policy will identify matches in users' messages in Teams channels and chats.
SharePoint: The policy will identify matches in files stored in users' SharePoint sites. When you select this option, you'll choose between the following options:
All SharePoint sites: this selection will cover all sites for all users in your organization.
Specific SharePoint sites: this selection asks you to designate specific sites for the policy to apply to. You can enter the URL of a specific site directly in the URL box, then select the + sign to add it to your list of sites. You can also select Choose sites, and from the flyout pane, search for and select from the list of sites you have access to. Check the box that appears when you hover over the site you want to select. After making your selections, select Add. All your chosen sites will be listed at the bottom of the Locations page.
If you need help identifying the SharePoint sites in your organization, visit Manage sites in the SharePoint admin center.
After you finish designating locations, select Next.
The conditions for detecting policy matches differ based on the policy template.
- Data overexposure: Refer to the conditions step in the data exposure policy custom setup instructions.
- Data transfers: Refer to the conditions step in the data transfers policy custom setup instructions.
- Data minimization: Refer to the conditions step in the data minimization policy custom setup instructions.
Define outcomes: user email notifications and tips
The Outcomes page of the policy creation wizard is where you can choose to send an email notification to users when they perform an action that matches a policy's conditions. When you select the option to send email notifications, you'll set a frequency for how often a user would receive an email:
- Daily: One email that aggregates a user's actions on one day, sent within 2 days of the actions.
- Weekly: One email that aggregates a user's actions in one week; you select which day of the week the email is sent.
- Monthly: One email that aggregates a user's actions in a month; you select which date of every month the email is sent.
Select Preview and edit notification email to see a preview of the email. From here you can customize the email's content and insert the required privacy URL training link. You also have the option to change the sender email from the default Microsoft email address to one of your organization's email addresses. Get details about email settings and customization.
Data transfer policies have another option to show tips to users in Teams when their actions generate a policy match. These tips will include links to privacy training, which you provide, and include mechanisms for remediating potential risks.
These notifications can be useful opportunities to prevent issues from escalating, and to build users' skills and confidence in adopting safe data handling practices.
User notifications in email and Teams are not available to US Government Community (GCC) Moderate, GCC High, or Department of Defense (DoD) customers.
Alerts help admins know when a user event matches a policy's conditions. You control how often alerts are generated, the threshold that must be reached before an alert is generated, and the alert's severity. Alerts are displayed on the Alerts card on the Policies page. Learn more about viewing, investigating, and remediating alerts.
Turn on alerts
You can turn on alerts when you first create a policy, or edit the policy later to turn them on. On the Alerts page of the policy creation wizard, set the Create alerts toggle switch to the On position.
Alert frequency and thresholds
After turning on alerts, decide how often they'll be generated by choosing one of the following three options:
- Alert each time when a policy match occurs: Selecting this option could yield a high number of alerts.
- Alert when a specific threshold is reached: You'll set thresholds based on the number and frequency of user events detected.
- Alert when one of the conditions below is met: Our recommended setting, this choice can help ensure that your alerts are more relevant and thus easier to act upon. If you select this option, you'll choose one of three types of thresholds for alerts:
- High volume of personal data: Designate the number of instances of personal data that will cause the alert. Remember that one content item, such as an Excel file or an email, could contain one or many instances of personal data.
- Personal data items covered by regulations: This option displays your choice from the Data to monitor step. From here, you can add or remove data groups based on regulations.
- High-risk users with outstanding remediations: This option is viable if you chose to send notification emails in the Outcomes step. Here you'll designate the number of outstanding remediations by any user within a certain timeframe. For example, if you designate 25 remediations in the last 72 hours, this means an alert will fire if a user has more than 25 outstanding issues they've been notified about but haven't acted on within the last 72 hours.
The High volume of personal data option isn't available for any trainable classifiers that are chosen as data to monitor. This is because trainable classifier detections are counted on a per-item basis as a single match. See the Trainable classifiers section above.
Alert severity level
Select a severity level of Low, Medium, or High. We suggest your organization define what each level represents for you.
To change a policy's alert frequency after you've turned on alerts, follow these steps:
- Open the details page of the policy whose alerts you want to modify.
- Select Edit in the upper right corner of the page.
- Select the Next button until you advance to the Alerts step.
- Make desired changes to alert frequency or threshold, then select Next.
- Select Next until you come to the Review and finish stage, then select Submit to save your changes.
You can also use this process to turn off alerts for a policy. At step 4 above, toggle the Create alerts switch to the Off position.
Testing a policy
In the Decide policy mode step, you can choose whether to start the policy in test mode or turn in on right away. Staring a policy in test mode means that once the policy is created:
No alerts will be generated. However, you'll see insights on the policy's details page when matches are detected, including the types of data detected and their locations.
No user email notifications will be sent when policy matches are detected. However, you'll see insights on the policy's details page showing which users are associated to policy matches.
Test mode allows you to look for matches from the last 30 days of user activity. Using these insights, you can gauge the policy’s behavior and review the types of alerts that may be generated when the policy is on.
We recommend testing your policy for at least five days to help you understand the type and volume of matches it will generate. You can edit the policy while it's in test mode so that you can monitor how the changes affect its performance before turning it on. For example, you may find that the policy is too broad and its conditions need adjusting. Or you may realize based on activity it detects that alerts won't be generated in a time frame that's useful to you.
The policy's details page indicates how many days the test has been running. You'll see how many matches have been found by location, how many user events matching the policy's conditions have been detected, and the personal data types that have detected by policy matches. When you're satisfied with your policy's settings, you can turn on the policy.
Turn on a policy
You can set a policy to turn on as soon as you finish creating it. This isn't recommended, as it's best to monitor performance and settings by putting the policy in test mode before you turn it on (see Testing a policy).
If you've created your policy in test mode, you can quickly turn it on by following these steps:
- From your Policies page, find the policy and select its name to open its details page.
- In the Policy status card, select Turn on policy.
The policy will now be active and will generate any alerts and user notifications you set up.
Turn off a policy
You can turn off a policy at anytime by selecting Turn off policy at the upper-right corner of a policy's details page. When a policy is off, it won't detect matches or generate alerts or email notifications. Turning off a policy won't delete a policy. You can turn a policy back on by selecting Turn on policy at the upper-right corner of the policy details page.
View details and activity from the policy details page
Each policy has a details page showing activities detected by the policy and insights to help you address risks.
After your policy has been created, select its name in the table on the main Policies page. The Overview tab of the policy details page tells you the status of your policy, provides insights into your data, and highlights policy matches. Here you can view details about specific policy matches and learn more about next steps. If your policy's running in test mode, you'll see recommended next steps on this page and a button to turn on the policy.
When the policy's on, you can continue to review its policy details page to see ongoing insights on problem areas, alert severity and trends, and corrective actions taken.
On the Overview tab of the policy details page, you'll find details about what the policy's detecting with respect to types and locations of data and user activity. The insights on the policy's details page are described below. After you turn on a policy, it can take up to 48 hours for data to come through.
The policy status card will indicate whether your policy is in one of three states: Testing, On, or Off.
Testing: This section shows the number of days your policy has been in test mode, which means it's looking for policy matches based on the conditions you set but isn't generating alerts or user notifications. We'll provide a recommendation when it's a good time to turn on your policy. You can turn it on anytime by selecting the Turn on policy button on this card.
On: When your policy is on, the status card displays metrics that highlight when corrective action has occurred after a policy matches generate alerts and user notifications.
User actions taken: This metric shows the number of remediation actions taken by users when prompted from a notification email out of the total number of notifications sent. For example, 8/10 would represent that out of 10 user notifications sent, users performed a remediation action in 8 instances.
User resolution rate: This metric is rate at which remediation actions are taken by users based on the number of notifications generated. If the percentage is low, you may want to edit the email content, or closely examine the matches to determine if the policy's detecting the intended activity.
Admin actions taken: This metric shows the number of remediation actions taken by admins when an alert is generated by the policy. Learn more about how to take actions on alerts.
Admin resolution rate: This metric is rate at which remediation actions are taken by admins based on the number of alerts.
Matches by location
The Matches by location card displays the number of content items detected by the policy according to Microsoft 365 location.
The User notifications card displays a bar graph showing the number of user notification emails that have been generated by the policy if you have those capabilities turned on.
Matches by user
The Matches by user card lists the top users whose actions have triggered a policy match. You'll see the number of events detected by the policy for each user, along with the number of remediation actions taken from email notifications. Select View all users on this card to review the complete list of users detected by the policy.
Matches by data type
The Matches by data type card displays the types of personal data detected by policy matches, and the amount of each type. The pie chart helps visually demonstrate whether a certain type of personal data, for example Social Security numbers or credit card numbers, is predominantly represented in the risk scenarios you're trying to identify.
When taking a holistic look at the locations, types of data, and number of users involved in policy matches, you may get a better sense as to the types of training and data protection measures needed to help your organization secure the personal data it stores.
Matched items tab
The Matched items tab displays a list of all the content items matching a condition set forth in the policy. From this view, you can select an item from its row to preview it in the window to the right of the item list.
In the preview window, you'll find the following tabs that provide details about each item:
- Source: Displays the personal data that triggered the match.
- Details: Displays the content owner (user in your organization) for the item, the Microsoft 365 location of the item, the number of personal data types within the item, and the specific personal data types.
- File activities: Displays any label or classification applied to the item.
- Remediation history: Displays information about remediation actions taken by users or admins on the item.
Edit a policy
You can edit the settings for a policy at any time, whether in test mode or turned on. You can update most policy settings, including putting a policy back into test mode after you've turned it on. The only settings you can't edit are the policy template and the policy name.
To edit a policy, follow the steps below:
In the Microsoft Purview compliance portal, locate Priva Privacy Risk Management in the left navigation. From the dropdown menu, select Policies.
Select the policy you want to edit from its row on the Policies page, which brings up that policy's details page.
On the policy details page, select Edit in the upper right corner of the page. This action takes you into the policy creation wizard.
Proceed through the steps to get to the settings you wish to change. You can edit all settings except for policy template and policy name. Select Next to advance to each next step.
On the Finish page, review your settings, and then select Submit to save the changes you made.
Delete a policy
If you need to remove an existing Privacy Risk Management policy, find it in the list on the Policies page, select the action menu (vertical ellipses), and choose the Delete policy action. You can also open the policy's details page and select Delete in the upper-right corner.
You'll be asked to confirm your choice before the deletion is final and the policy is permanently removed. Deleting a policy won't affect any files previously evaluated by the policy, and issues and alerts generated by the policy will still be listed on the Alerts and Issues pages.
Once your policy is turned on and starts generating alerts, you'll want to start understanding what risks they may present to your organization. Learn how to manage alerts, investigate events, and take remediation actions in Privacy Risk Management by visiting Investigate and remediate alerts.