Protecting personal data is more crucial than ever, especially with Canadian privacy laws like PIPA and PIPEDA in force. If your business uses Microsoft 365, properly configuring Data Loss Prevention (DLP) policies is the best way to ensure private information never gets into the wrong hands. Let’s walk step-by-step through how to set up these essential protections and keep your organization compliant and secure.
Getting Started: Access the Microsoft Purview Compliance Portal
First things first—sign into the Microsoft 365 compliance center with an account that has sufficient permissions (Global or Compliance Administrator are best). Once there, head to Solutions > Data Loss Prevention > Policy on the dashboard to find all your DLP controls in one place.
Step 1: Create a New DLP Policy
- Click “+ Create a policy” in the Data Loss Prevention section.
- Choose a Template:
Microsoft provides ready-made templates designed for compliance: - US PII Data—covers general Personally Identifiable Information (PII).
- Canada PIPEDA—specifically for Canadian privacy law requirements.
- Custom Policy—for adding coverage unique to PIPA or your organization.
- Select the best fit or create a custom policy, then click Next.
Step 2: Configure Policy Settings
- Name Your Policy: Give it a clear, descriptive name like “DLP Policy for PII, PIPA, and PIPEDA.”
- Decide Where to Apply:
- Exchange email (protects sensitive email content)
- SharePoint sites (files and documents)
- OneDrive accounts (personal storage)
- Microsoft Teams chat (conversations)
You can also select or exclude specific users or groups if needed.
- Customize the Rules:
Modify existing rules or add new ones to detect sensitive data covered under PII, PIPA, and PIPEDA. Tap into Sensitive Information Types to watch for patterns like Social Insurance Numbers, National IDs, email addresses, and more. - Choose Actions:
- Restrict access to documents
- Block sharing or sending sensitive emails
- Notify users and admins when a violation is detected
- Log every incident for full accountability
- Optionally, require the user to provide a business justification for sharing sensitive info
- Customize Notifications:
Enable email alerts or pop-up warnings (for Outlook, SharePoint, and Teams) to remind users about privacy and data commitments.
Step 3: Policy Mode—Test and Launch
- Test Mode: Before flipping the switch, run your DLP policy in Test Mode. This helps you catch any false alarms or missed risks, so you can fine-tune the settings without disrupting daily work.
- Enforce: Once you’re confident in the results, return to the Compliance Portal and set the policy to Enforce Mode to activate full protections.
Step 4: Monitor and Audit Your DLP Policy
Head back to the DLP dashboard in the Compliance Portal anytime to review when policies are triggered. Reports show you what happened, who was impacted, and which rules kicked in. Use these insights to adjust thresholds, lesson false positives, and keep your policy in top shape.
Summary of Key Settings
- Policy Templates: Use or customize for PII, PIPA, PIPEDA
- Locations: Apply to email, cloud storage, Teams, and SharePoint
- Sensitive Info Types: Watch for PII, financial numbers, and more
- Actions: Block, notify, restrict, and require justifications
- Test Mode: Perfect policies before full rollout
- Monitoring: Regularly review incidents for continual improvement
Extra Protection for Your Business
Staying compliant and preventing data leaks is easier with expert support. At System Support, we help Canadian businesses set up Cyber Security and Managed IT Services for Microsoft 365. Our Unlimited Helpdesk Support ensures your team always has someone to call about privacy, compliance, and technical issues. Need help setting up, tuning, or monitoring your DLP policies? Request a quote today!
