Cloud Data Loss Prevention (Cloud DLP) is now a part of Sensitive Data Protection. The API name remains the same: Cloud Data Loss Prevention API (DLP API). For information about the services that make up Sensitive Data Protection, see Sensitive Data Protection overview.
Stay organized with collections
Save and categorize content based on your preferences.
This page describes the steps you can take to remediate findings from data profiles.
High data risk
Data assets with high data risk have evidence of sensitive information
without additional protections. To lower the data risk score, consider doing the
following:
For BigQuery columns that contain sensitive data, apply a
BigQuery policy tag
to restrict access to accounts with specific access rights.
Before you make this change, make sure your service agent has the permissions
required to profile tables with column-level restrictions. Otherwise,
Sensitive Data Protection shows an error. For more information, see
Troubleshoot issues with the data profiler.
De-identify the raw sensitive data using de-identification techniques like
masking and tokenization.
Enable
automatic tagging
and opt to automatically set the data risk of the profiled data assets to
Low.
If the high-risk data is not needed, consider removing it.
High free-text score
A column with a high free-text score,
especially one that has evidence of multiple infoTypes (like
PHONE_NUMBER, US_SOCIAL_SECURITY_NUMBER, and DATE_OF_BIRTH), might contain
unstructured data and instances of personally identifiable
information (PII). This column can be a note or comment field. Freeform text
presents a potential risk. For example, in such fields, someone might enter
"Customer was born on January 1, 1985".
Sensitive Data Protection is built to handle unstructured data. To
better understand this kind of data, consider doing the following:
For BigQuery and Cloud Storage data, you can identify the
exact locations of the PII by running an on-demand
inspection on the
BigQuery table or Cloud Storage bucket.
De-identify the raw sensitive data using techniques like masking
and tokenization.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Remediate findings from the data profiler\n\nThis page describes the steps you can take to remediate [findings](/sensitive-data-protection/docs/sensitivity-risk-calculation) from data profiles.\n\nHigh data risk\n--------------\n\nData assets with high data risk have evidence of sensitive information\nwithout additional protections. To lower the data risk score, consider doing the\nfollowing:\n\n- For BigQuery columns that contain sensitive data, apply a\n [BigQuery policy tag](/bigquery/docs/best-practices-policy-tags)\n to restrict access to accounts with specific access rights.\n\n Before you make this change, make sure your service agent has the permissions\n required to profile tables with column-level restrictions. Otherwise,\n Sensitive Data Protection shows an error. For more information, see\n [Troubleshoot issues with the data profiler](/sensitive-data-protection/docs/troubleshoot-data-profiles#policy-tags).\n- De-identify the raw sensitive data using de-identification techniques like\n [masking](/sensitive-data-protection/docs/deidentify-sensitive-data#charactermaskconfig) and [tokenization](/sensitive-data-protection/docs/pseudonymization).\n\n- [Enable\n automatic tagging](/sensitive-data-protection/docs/control-access-based-on-data-sensitivity#enable-automatic-tagging-discovery)\n and opt to automatically set the data risk of the profiled data assets to\n `Low`.\n\n- If the high-risk data is not needed, consider removing it.\n\n \u003cbr /\u003e\n\n | **Note:** If you delete a column from a table and that table is reprofiled, no [column data profile](/sensitive-data-protection/docs/metrics-reference#column-data-profile) is generated for the deleted column. If you want to keep a history of past data profiles---for example, for auditing purposes---[configure the profiler to export\n | data profiles to BigQuery](/sensitive-data-protection/docs/profile-org-folder#save-to-bq).\n\n \u003cbr /\u003e\n\nHigh free-text score\n--------------------\n\nA column with a high [free-text score](/sensitive-data-protection/docs/metrics-reference#free-text-score),\nespecially one that has evidence of multiple infoTypes (like\n`PHONE_NUMBER`, `US_SOCIAL_SECURITY_NUMBER`, and `DATE_OF_BIRTH`), might contain\nunstructured data and instances of personally identifiable\ninformation (PII). This column can be a note or comment field. Freeform text\npresents a potential risk. For example, in such fields, someone might enter\n\"Customer was born on January 1, 1985\".\n\nSensitive Data Protection is built to handle unstructured data. To\nbetter understand this kind of data, consider doing the following:\n\n- For BigQuery and Cloud Storage data, you can identify the\n exact locations of the PII by running an [on-demand\n inspection](/sensitive-data-protection/docs/inspecting-storage) on the\n BigQuery table or Cloud Storage bucket.\n\n- De-identify the raw sensitive data using techniques like [masking](/sensitive-data-protection/docs/deidentify-sensitive-data#charactermaskconfig)\n and [tokenization](/sensitive-data-protection/docs/pseudonymization).\n\nWhat's next\n-----------\n\n- Learn about how Sensitive Data Protection [calculates the data risk and\n sensitivity levels of your data assets](/sensitive-data-protection/docs/sensitivity-risk-calculation).\n\n- Learn about how [tokenization makes data usable without sacrificing privacy](https://cloud.google.com/blog/products/identity-security/take-charge-of-your-data-how-tokenization-makes-data-usable-without-sacrificing-privacy).\n\n- Learn about how\n [Forrester named Google Cloud a leader in unstructured data security platforms](https://cloud.google.com/blog/products/identity-security/google-a-leader-in-unstructured-data-security-platforms)."]]
