Microsoft Purview compliance portal: Data Loss Prevention - Actionable Email Notifications for Enhanced Incident Remediation

🚨 The Signal: Purview DLP now allows end-users to directly remediate policy violations in OneDrive/SharePoint via email. This shifts some data protection actions from security teams to users, potentially speeding incident resolution but increasing user responsibility.

The Impact

End-users are affected, gaining new capabilities to remediate DLP incidents, which shifts some security responsibility and risk to them.

• End-users: New ability to self-remediate DLP incidents, increasing their security responsibility.
• Security Teams: Potential reduction in low-level DLP incident workload, allowing focus on complex cases.
• Compliance Teams: Improved incident response times for data loss, aiding compliance reporting.
• Data Owners: Faster resolution of policy violations on their content, reducing exposure time.

The Action

1. Review existing Purview DLP policies for OneDrive and SharePoint to determine if actionable notifications are appropriate for your organisation's risk tolerance.
2. Configure or update DLP policies in Microsoft Purview compliance portal > Data loss prevention > Policies to enable actionable email notifications for relevant rules.
3. Develop and deliver targeted user training on how to interpret DLP actionable emails and perform appropriate remediation actions (e.g., stop sharing, apply label, report false positive).
4. Update incident response playbooks to incorporate end-user self-remediation as a first-line defence for certain DLP incidents.
5. Monitor DLP incident reports and user remediation actions to assess effectiveness and identify areas for policy refinement or additional user education.

Domain: Purview · Impact: medium · Workload: Microsoft Purview