Cloud Data Loss Prevention (Cloud DLP) is now a part of Sensitive Data Protection. The API name remains the same: Cloud Data Loss Prevention API (DLP API). For information about the services that make up Sensitive Data Protection, seeSensitive Data Protection overview.
Stay organized with collectionsSave and categorize content based on your preferences.
This page describes the steps you can take to remediatefindingsfrom data profiles.
High data risk
Data assets with high data risk have evidence of sensitive information
without additional protections. To lower the data risk score, consider doing the
following:
For BigQuery columns that contain sensitive data, apply aBigQuery policy tagto restrict access to accounts with specific access rights.
Before you make this change, make sure your service agent has the permissions
required to profile tables with column-level restrictions. Otherwise,
Sensitive Data Protection shows an error. For more information, seeTroubleshoot issues with the data profiler.
De-identify the raw sensitive data using de-identification techniques likemaskingandtokenization.
Enable
automatic taggingand opt to automatically set the data risk of the profiled data assets toLow.
If the high-risk data is not needed, consider removing it.
High free-text score
A column with a highfree-text score,
especially one that has evidence of multiple infoTypes (likePHONE_NUMBER,US_SOCIAL_SECURITY_NUMBER, andDATE_OF_BIRTH), might contain
unstructured data and instances of personally identifiable
information (PII). This column can be a note or comment field. Freeform text
presents a potential risk. For example, in such fields, someone might enter
"Customer was born on January 1, 1985".
Sensitive Data Protection is built to handle unstructured data. To
better understand this kind of data, consider doing the following:
For BigQuery and Cloud Storage data, you can identify the
exact locations of the PII by running anon-demand
inspectionon the
BigQuery table or Cloud Storage bucket.
De-identify the raw sensitive data using techniques likemaskingandtokenization.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Remediate findings from the data profiler\n\nThis page describes the steps you can take to remediate [findings](/sensitive-data-protection/docs/sensitivity-risk-calculation) from data profiles.\n\nHigh data risk\n--------------\n\nData assets with high data risk have evidence of sensitive information\nwithout additional protections. To lower the data risk score, consider doing the\nfollowing:\n\n- For BigQuery columns that contain sensitive data, apply a\n [BigQuery policy tag](/bigquery/docs/best-practices-policy-tags)\n to restrict access to accounts with specific access rights.\n\n Before you make this change, make sure your service agent has the permissions\n required to profile tables with column-level restrictions. Otherwise,\n Sensitive Data Protection shows an error. For more information, see\n [Troubleshoot issues with the data profiler](/sensitive-data-protection/docs/troubleshoot-data-profiles#policy-tags).\n- De-identify the raw sensitive data using de-identification techniques like\n [masking](/sensitive-data-protection/docs/deidentify-sensitive-data#charactermaskconfig) and [tokenization](/sensitive-data-protection/docs/pseudonymization).\n\n- [Enable\n automatic tagging](/sensitive-data-protection/docs/control-access-based-on-data-sensitivity#enable-automatic-tagging-discovery)\n and opt to automatically set the data risk of the profiled data assets to\n `Low`.\n\n- If the high-risk data is not needed, consider removing it.\n\n \u003cbr /\u003e\n\n | **Note:** If you delete a column from a table and that table is reprofiled, no [column data profile](/sensitive-data-protection/docs/metrics-reference#column-data-profile) is generated for the deleted column. If you want to keep a history of past data profiles---for example, for auditing purposes---[configure the profiler to export\n | data profiles to BigQuery](/sensitive-data-protection/docs/profile-org-folder#save-to-bq).\n\n \u003cbr /\u003e\n\nHigh free-text score\n--------------------\n\nA column with a high [free-text score](/sensitive-data-protection/docs/metrics-reference#free-text-score),\nespecially one that has evidence of multiple infoTypes (like\n`PHONE_NUMBER`, `US_SOCIAL_SECURITY_NUMBER`, and `DATE_OF_BIRTH`), might contain\nunstructured data and instances of personally identifiable\ninformation (PII). This column can be a note or comment field. Freeform text\npresents a potential risk. For example, in such fields, someone might enter\n\"Customer was born on January 1, 1985\".\n\nSensitive Data Protection is built to handle unstructured data. To\nbetter understand this kind of data, consider doing the following:\n\n- For BigQuery and Cloud Storage data, you can identify the\n exact locations of the PII by running an [on-demand\n inspection](/sensitive-data-protection/docs/inspecting-storage) on the\n BigQuery table or Cloud Storage bucket.\n\n- De-identify the raw sensitive data using techniques like [masking](/sensitive-data-protection/docs/deidentify-sensitive-data#charactermaskconfig)\n and [tokenization](/sensitive-data-protection/docs/pseudonymization).\n\nWhat's next\n-----------\n\n- Learn about how Sensitive Data Protection [calculates the data risk and\n sensitivity levels of your data assets](/sensitive-data-protection/docs/sensitivity-risk-calculation).\n\n- Learn about how [tokenization makes data usable without sacrificing privacy](https://cloud.google.com/blog/products/identity-security/take-charge-of-your-data-how-tokenization-makes-data-usable-without-sacrificing-privacy).\n\n- Learn about how\n [Forrester named Google Cloud a leader in unstructured data security platforms](https://cloud.google.com/blog/products/identity-security/google-a-leader-in-unstructured-data-security-platforms)."]]
