Cloud Data Loss Prevention (Cloud DLP) is now a part of Sensitive Data Protection. The API name remains the same: Cloud Data Loss Prevention API (DLP API). For information about the services that make up Sensitive Data Protection, see Sensitive Data Protection overview.
Stay organized with collections
Save and categorize content based on your preferences.
This page describes the data risk and sensitivity levels that Sensitive Data Protection
assigns to data profiles. To
understand the data risk levels, it's important to understand the sensitivity
levels first.
Sensitivity level
Sensitivity level is an indication of how sensitive the data in a project,
table, or file store is. Data is sensitive if it contains detected elements,
such as personally identifiable information (PII), financial
data, and credentials.
You can also set the sensitivity of each built-in or custom infoType that you
scan for. The sensitivity of each detected infoType affects the resulting
sensitivity rating of the profiled resource. For information about how to
override the sensitivity of a built-in infoType or set the sensitivity of a
custom infoType,
see Manage infoTypes.
A data profile can have any of the following sensitivity levels:
Sensitive information that is not classified as highly sensitive might be
present. Examples are email addresses and phone numbers, which can be considered
personally identifiable. The data might also include freeform text or
unstructured data, such as comments.
Low
Sensitive information wasn't detected, and the data doesn't include freeform
text or unstructured data.
Unknown
The data couldn't be scanned successfully. It is uncertain if sensitive data exists.
Sensitivity signals
To calculate sensitivity, Sensitive Data Protection considers the following:
Both the default sensitivity of each infoType found along with any user
overrides of the sensitivity.
Whether the data has an unstructured format and contains mostly freeform
text, like comments.
Data risk level
Data risk level is the risk associated with the data in its current state. It
considers the sensitivity level of the data in the resource and the presence of
access controls to protect that data.
High
High-sensitivity data
might be present, and there are no access controls to restrict data
exposure. Alternatively, moderate or high-sensitivity data is widely accessible.
Moderate
Moderate-sensitivity data
might be present, and there are no access controls to restrict data
exposure.
Low
The sensitivity level of the data is low. Alternatively, access to the data
has been further restricted, for example, through access controls.
A profiled data asset can also get a Low data risk level if you enabled
automatic
tagging
and opted to automatically set the data risk of the profiled data assets to
Low.
Unknown
The data couldn't be scanned successfully. It is uncertain if sensitive data exists.
Data risk signals
To calculate data risk, Sensitive Data Protection considers the following:
The calculated sensitivity level of the data.
The presence of access controls that limit access to the data.
Whether discovery is configured to set the data risk level to Low when
automatic tagging is enabled. For more information, see Enable the automatic
tagging in the discovery
configuration.
This option automatically overrides any of the storage-specific formulas.
BigQuery data risk calculation
The following table shows how data risk signals affect
the resulting data risk level that Sensitive Data Protection assigns to profiled
BigQuery resources. The Data risk column shows the resulting data
risk level.
Data sensitivity
Is public
Column policy tag applied
Data risk
Low, moderate, or high
No
Yes
Low
Low, moderate, or high
Yes
Yes
Low
Low
No
No
Low
Moderate
No
No
Moderate
High
No
No
High
Cloud SQL data risk calculation
The following table shows how data risk signals affect
the resulting data risk level that Sensitive Data Protection assigns to profiled
Cloud SQL resources. The Data risk column shows the resulting data risk
level.
Data sensitivity
Requires SSL
Public IP
Data risk
Low
Yes
Yes
Low
Low
Yes
No
Low
Low
No
Yes
Low
Low
No
No
Low
Moderate
Yes
Yes
Moderate
Moderate
Yes
No
Low
Moderate
No
Yes
High
Moderate
No
No
Moderate
High
Yes
Yes
High
High
Yes
No
Moderate
High
No
Yes
High
High
No
No
High
File store data risk calculation
The following table shows how data risk signals affect
the resulting data risk level that Sensitive Data Protection assigns to profiled
file store resources. The Data risk column shows the resulting data risk
level.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-19 UTC."],[],[],null,["# Sensitivity and data risk levels\n\nThis page describes the data risk and sensitivity levels that Sensitive Data Protection\nassigns to [data profiles](/sensitive-data-protection/docs/data-profiles). To\nunderstand the data risk levels, it's important to understand the sensitivity\nlevels first.\n| **Note:** When generating data profiles, Sensitive Data Protection scans for only the infoTypes that you specify in your [inspection template](/sensitive-data-protection/docs/data-profiles#inspection-template). For example, suppose credit card numbers are present in a column. If the `CREDIT_CARD_NUMBER` infoType isn't listed in your inspection template, then the resulting sensitivity and data risk levels for that column don't reflect the presence of credit card numbers.\n\nSensitivity level\n-----------------\n\n*Sensitivity level* is an indication of how sensitive the data in a project,\ntable, or file store is. Data is sensitive if it contains detected elements,\nsuch as personally identifiable information (PII), financial\ndata, and credentials.\n\nYou can also set the sensitivity of each built-in or custom infoType that you\nscan for. The sensitivity of each detected infoType affects the resulting\nsensitivity rating of the profiled resource. For information about how to\noverride the sensitivity of a built-in infoType or set the sensitivity of a\ncustom infoType,\nsee [Manage infoTypes](/sensitive-data-protection/docs/manage-infotypes-console).\n\nA data profile can have any of the following sensitivity levels:\n\nHigh\n: [Highly sensitive information](/sensitive-data-protection/docs/high-sensitivity-infotypes-reference)\n might be present, including credit card numbers and certain national identifiers.\n\nModerate\n: Sensitive information that is not classified as highly sensitive might be\n present. Examples are email addresses and phone numbers, which can be considered\n personally identifiable. The data might also include freeform text or\n unstructured data, such as comments.\n\nLow\n: Sensitive information wasn't detected, and the data doesn't include freeform\n text or unstructured data.\n\nUnknown\n: The data couldn't be scanned successfully. It is uncertain if sensitive data exists.\n\n### Sensitivity signals\n\nTo calculate sensitivity, Sensitive Data Protection considers the following:\n\n- Both the default sensitivity of each infoType found along with any user overrides of the sensitivity.\n- The [likelihood](/sensitive-data-protection/docs/likelihood) that [highly sensitive infoTypes](/sensitive-data-protection/docs/high-sensitivity-infotypes-reference) are present.\n- Whether the data has an unstructured format and contains mostly freeform text, like comments.\n\nData risk level\n---------------\n\n*Data risk level* is the risk associated with the data in its current state. It\nconsiders the sensitivity level of the data in the resource and the presence of\naccess controls to protect that data.\n\nHigh\n: [High-sensitivity data](/sensitive-data-protection/docs/sensitivity-risk-calculation#high-sensitivity)\n might be present, and there are no access controls to restrict data\n exposure. Alternatively, moderate or high-sensitivity data is widely accessible.\n\nModerate\n: [Moderate-sensitivity data](/sensitive-data-protection/docs/sensitivity-risk-calculation#moderate-sensitivity)\n might be present, and there are no access controls to restrict data\n exposure.\n\nLow\n\n: The sensitivity level of the data is low. Alternatively, access to the data\n has been further restricted, for example, through access controls.\n\n A profiled data asset can also get a `Low` data risk level if you [enabled\n automatic\n tagging](/sensitive-data-protection/docs/control-access-based-on-data-sensitivity#enable-automatic-tagging-discovery)\n and opted to automatically set the data risk of the profiled data assets to\n `Low`.\n\nUnknown\n\n: The data couldn't be scanned successfully. It is uncertain if sensitive data exists.\n\n### Data risk signals\n\nTo calculate data risk, Sensitive Data Protection considers the following:\n\n- The calculated sensitivity level of the data.\n- The presence of access controls that limit access to the data.\n- Whether discovery is configured to set the data risk level to `Low` when automatic tagging is enabled. For more information, see [Enable the automatic\n tagging in the discovery\n configuration](/sensitive-data-protection/docs/control-access-based-on-data-sensitivity#enable-automatic-tagging-discovery). This option automatically overrides any of the storage-specific formulas.\n\n### BigQuery data risk calculation\n\nThe following table shows how [data risk signals](#data_risk_calculation) affect\nthe resulting data risk level that Sensitive Data Protection assigns to profiled\nBigQuery resources. The **Data risk** column shows the resulting data\nrisk level.\n\n### Cloud SQL data risk calculation\n\nThe following table shows how [data risk signals](#data_risk_calculation) affect\nthe resulting data risk level that Sensitive Data Protection assigns to profiled\nCloud SQL resources. The **Data risk** column shows the resulting data risk\nlevel.\n\n### File store data risk calculation\n\nThe following table shows how [data risk signals](#data_risk_calculation) affect\nthe resulting data risk level that Sensitive Data Protection assigns to profiled\nfile store resources. The **Data risk** column shows the resulting data risk\nlevel.\n\nWhat's next\n-----------\n\n- Learn about [remediations](/sensitive-data-protection/docs/data-profiles-remediation) you can take to reduce data risk and sensitivity."]]
