Sensitivity and data risk levels

Stay organized with collections Save and categorize content based on your preferences.

This page describes the data risk and sensitivity levels that Sensitive Data Protection assigns to data profiles. To understand the data risk levels, it's important to understand the sensitivity levels first.

Sensitivity level

Sensitivity level is an indication of how sensitive the data in a project, table, or file store is. Data is sensitive if it contains detected elements, such as personally identifiable information (PII), financial data, and credentials.

A data profile can have any of the following sensitivity levels:

High

Highly sensitive personal information might be present, including credit card numbers and certain national identifiers.

Moderate

Sensitive information that is not classified as highly sensitive might be present. Examples are email addresses and phone numbers, which can be considered personally identifiable. The data might also include freeform text or unstructured data, such as comments.

Low

Sensitive information wasn't detected, and the data doesn't include freeform text or unstructured data.

Unknown

The data couldn't be scanned successfully. It is uncertain if sensitive data exists.

Sensitivity signals

To calculate sensitivity, Sensitive Data Protection considers the following:

• The likelihood that highly sensitive infoTypes are present.
• Whether the data has an unstructured format and contains mostly freeform text, like comments.

Data risk level

Data risk level is the risk associated with the data in its current state. It considers the sensitivity level of the data in the resource and the presence of access controls to protect that data.

High

High-sensitivity data might be present, and there are no access controls to restrict data exposure. Alternatively, moderate or high-sensitivity data is widely accessible.

Moderate

Moderate-sensitivity data might be present, and there are no access controls to restrict data exposure.

Low

The sensitivity level of the data is low. Alternatively, access to the data has been further restricted, for example, through access controls.

A profiled data asset can also get a Low data risk level if you enabled automatic tagging and opted to automatically set the data risk of the profiled data assets to Low.

Unknown

The data couldn't be scanned successfully. It is uncertain if sensitive data exists.

Data risk signals

To calculate data risk, Sensitive Data Protection considers the following:

• The calculated sensitivity level of the data.
• The presence of access controls that limit access to the data.
• Whether discovery is configured to set the data risk level to Low when automatic tagging is enabled. For more information, see Enable the automatic tagging in the discovery configuration. This option automatically overrides any of the storage-specific formulas.

BigQuery data risk calculation

The following table shows how data risk signals affect the resulting data risk level that Sensitive Data Protection assigns to profiled BigQuery resources. The Data risk column shows the resulting data risk level.

Cloud SQL data risk calculation

The following table shows how data risk signals affect the resulting data risk level that Sensitive Data Protection assigns to profiled Cloud SQL resources. The Data risk column shows the resulting data risk level.

File store data risk calculation

The following table shows how data risk signals affect the resulting data risk level that Sensitive Data Protection assigns to profiled file store resources. The Data risk column shows the resulting data risk level.

What's next

• Learn about remediations you can take to reduce data risk and sensitivity.