Let me channel my inner Picasso and paint you a picture.
Your HR Manager is updating a salary spreadsheet. He finishes, hits send, and attaches the file to an email addressed to the department head.
Except.
Outlook’s autocomplete had other ideas, and the file has just landed in the inbox of someone with the same first name in a completely different company. You know the pain.
By the time anyone realises, the damage is done.
Now imagine the same scenario with the right controls in place. Same HR Manager, same email. But before it leaves the organisation, Microsoft Purview flags it. A policy tip appears on screen:
*”This file appears to contain sensitive personal data. Are you sure you want to send this externally?”*
He pauses, checks… “externally!? Blimey!” Catches the mistake, and no one is writing an incident report this afternoon.
That’s the difference between hoping for the best and actually having the right systems in place.
When most people think about data breaches, they picture a sophisticated cyberattack; a threat actor tunnelling through your firewall at 3am on a Sunday. The reality, at least in the UK, is far more mundane.
According to the ICO’s own data security incident trends, the most commonly reported breach type in the UK is data emailed to the wrong recipient. In 2024, UK public sector organisations alone reported more than 2,400 suspected data breaches. The majority of issues are caused by fundamental mistakes: misdirected emails, files shared with incorrect permissions, and personal data sent without adequate protection.
This isn’t a people problem. Naturally, people make mistakes, and they always will. But no amount of training will help with that.
If you can do as much as you can with technical controls to prevent these issues, you should. And it’s one that Microsoft Purview is specifically built to address.
This is the way I see it, from a non-technical perspective. As a business, you must secure the user, secure the device, and secure the data.
This is how it looks, with the tools in place:
If you’ve been following my blogs, you’ll know we’ve covered a number of these topics:
In each of those articles, I referenced Microsoft Purview as the next piece of the puzzle, the “secure the data” pillar of the Zero Trust framework.
This is that article.
Microsoft Purview is the compliance, data governance, and information protection platform built into Microsoft 365. It’s not a separate product you need to buy and bolt on. If your organisation is already using Microsoft 365, Purview is already there.
Two capabilities sit at the heart of what we’re discussing today:
Used together, they form an automated, auditable defence against the kind of accidental data exposure that ends up in a breach report. There are more tools within Purview, but I do need to keep this article to a certain length, and I will cover these in future articles.
Think of a sensitivity label as a persistent tag that travels with a document or email wherever it goes. Not just inside your Microsoft 365 environment but after it leaves as well. If someone downloads a labelled file and emails it from a personal account, the label and its protections go with it.
Sensitivity labels in Microsoft Purview can be applied manually by users, recommended by the system, or applied automatically based on the content of a document. A typical label hierarchy looks something like this:
Once a label is applied, it can:
The critical point is that classification is persistent and portable. A document labelled “Highly Confidential” doesn’t lose that label when it’s downloaded to a laptop, attached to an email, or saved to a USB drive. The protection follows the file.
If sensitivity labels give your data an identity, DLP is the enforcement layer that decides what happens based on that identity.
Microsoft Purview Data Loss Prevention scans content across your Microsoft 365 environment including email, SharePoint, OneDrive, Teams, and Windows endpoints if enrolled into Microsoft Intune and applies rules when sensitive content is detected.
Purview ships with hundreds of built-in Sensitive Information Types (SITs): it already understands what a UK National Insurance number looks like, what an NHS number is, how to recognise a credit card or passport number. You can also define custom types for your specific data.
When a DLP policy triggers, it can:
DLP works across Exchange email, SharePoint, OneDrive, Teams messages, and critically Windows endpoints. That means DLP can prevent sensitive files from being copied to a USB drive, printed, or uploaded to an unapproved website, at the device level, in real time.
The real power comes when you use both. Sensitivity labels tell DLP what something is. DLP decides what happens to it.
A document labelled “Highly Confidential — Patient Data” automatically inherits DLP policies that block external email sharing, prevent upload to personal cloud storage, and alert your compliance officer if someone attempts to move it. You define the rules once. The protection is automatic, consistent, and fully auditable.
This is also what closes the gap I mentioned in the BYOD article. If employees are accessing corporate data on personal devices, a labelled and encrypted document remains protected even outside your managed environment.
Here’s something I’m increasingly having direct conversations with clients about: what happens to your sensitive data when your employees paste it into ChatGPT?
It’s happening.
Right now.
In your organisation.
People are copying client emails into Claude or Gemini to help draft responses. Pasting salary data into ChatGPT to reformat a spreadsheet – maybe not this extreme but you get the idea. Uploading contracts to Gemini or Claude to get a quick summary. Most of them aren’t being reckless they’re just trying to work faster.
The problem is that data has now left your environment, potentially crossed international borders, and may have been ingested into a model.
Your GDPR obligations don’t care that the intent was innocent.
This is where Microsoft Purview DLP becomes critically relevant right now. Endpoint DLP policies can be configured to monitor and block sensitive content from being pasted or uploaded into browser-based applications including consumer AI tools on managed Windows devices. A document labelled “Confidential” can be blocked from reaching any site outside your approved list.
The ICO is clear that using AI tools with personal data carries the same data protection obligations as any other form of processing. Purview gives you the technical controls to enforce that at scale, rather than relying on awareness training and hoping for the best.
For organisations already rolling out Microsoft 365 Copilot, there’s a further layer: Purview DLP policies can be applied directly to Copilot interactions, preventing restricted content from surfacing in AI-generated summaries or responses. You get the productivity benefits of Copilot without the risk of it pulling up data that should be locked down.
Let me be direct about the regulatory landscape, because it’s only getting more demanding.
UK GDPR and the Data Protection Act 2018
The UK GDPR, implemented through the Data Protection Act 2018, sets out clear obligations that Purview is designed to help you meet:
Article 5(1)(f) – personal data must be processed with integrity and confidentiality, using appropriate technical measures to prevent unauthorised access or disclosure
Article 25 – data protection by design and by default – protection must be built into your systems from the ground up, not retrofitted after an incident
Article 32 – organisations must implement appropriate technical and organisational measures to protect data against accidental loss, alteration, or unauthorised disclosure
Sensitivity labels and DLP policies are a direct, demonstrable response to all three.
When the ICO comes calling, you can point to exactly which controls are configured, what policies are enforced, and what was logged, rather than hoping a general “we take data protection seriously” statement is sufficient.
The Data (Use and Access) Act, which came into force in June 2025, has introduced further updates to how special category data is governed and how the ICO applies information management guidance. The ICO’s updated audit framework now explicitly recommends:
All as essential controls for organisations handling personal data.
Purview delivers all three, out of the box. Within Microsoft 365 environments.
If you work in healthcare, legal, financial services, or HR then this is your data.
And you will know that GDPR Article 9 identifies categories of data requiring the highest level of protection: health records, biometric data, racial or ethnic origin, religious beliefs, sexual orientation.
These carry the most severe consequences if mishandled and the greatest scrutiny from regulators.
Sensitivity labels allow you to isolate it, apply stricter controls, and enforce handling rules that simply don’t apply to general business information.
Any organisation that accesses NHS patient data must comply with the NHS Data Security and Protection Toolkit (DSPT). From 2024/25, the DSPT is aligned to the NCSC’s Cyber Assessment Framework, with specific requirements around using and sharing information appropriately. That’s precisely the problem DLP and sensitivity labels address and they generate the auditable technical evidence the toolkit requires you to demonstrate.
Financial services organisations face additional obligations around client data, record-keeping, and Consumer Duty. Microsoft’s compliance offering for FCA and PRA-regulated firms includes pre-built assessment templates in Purview Compliance Manager, and DLP policies can be tuned specifically to the data types FCA firms regularly handle such as account numbers, customer PII (personal identifiable information) & transaction records.
Access controls, data handling policies, and demonstrable technical safeguards are core requirements of both. Purview provides the evidence layer that makes those requirements auditable rather than theoretical.
Here’s a simplified version of a recent deployment.
Company: Mid-sized professional services firm, 85 employees
Challenge: The firm was handling highly sensitive client documents across SharePoint, email, and shared drives with no consistent classification, no controls preventing unencrypted external sharing, and growing concern about staff using personal AI tools with client data.
Solution: We deployed Microsoft Purview Sensitivity Labels across the estate, starting with a four-tier policy (Public / Internal / Confidential / Highly Confidential). DLP policies were configured to enforce encryption on externally shared Confidential documents, require business justification for overrides, and block upload of labelled files to unsanctioned cloud services and consumer AI platforms.
Outcome:
What Does This Actually Look Like?
Purview is configured through the Microsoft Purview portal. Label taxonomies and DLP policies live there, and changes propagate across your Microsoft 365 environment typically within an hour.
On licensing: manual sensitivity labels and core DLP are available from Microsoft 365 Business Premium and E3. Auto-classification, endpoint DLP, and advanced DLP features require E5 or the M365 E5 Compliance add-on. For most of the businesses I, and AAG IT Services, work with, Business Premium is already in place meaning there’s no additional licensing cost to get started with the fundamentals.
This is a project, not a switch you flip. A proper deployment involves mapping your data, designing a label taxonomy that fits your organisation, configuring DLP rules, training your users, and monitoring for false positives in the early weeks.
Done properly, the foundation can be in place within a few weeks, and the value is immediate.
As mentioned in the Best Practices section, in the Zero Trust article I outlined three pillars: secure the user, secure the device, secure the data. We’ve now covered two of three across this series. I will be doing a deep dive into Secure the User soon…
These aren’t independent projects. They’re designed to work as a coherent whole.
A sensitivity label feeds into a DLP policy > that DLP policy integrates with Conditional Access > Conditional Access checks device compliance through Intune.
When it all comes together, you have a genuinely resilient posture and not a collection of isolated controls with gaps between them.
Data protection isn’t going to get simpler. Regulatory requirements are tightening, the Data (Use and Access) Act is reshaping how organisations are expected to govern information, and AI tools are introducing new vectors for accidental disclosure that most businesses haven’t got policies for yet.
The good news is that if you’re already in Microsoft 365, the tools to address this are available to you today.
The question is whether they’re configured.
As your trusted MSP partner, we’re here to help you get there.
Whether you’re starting from scratch, building on an existing Intune deployment, or need demonstrable compliance controls ahead of an audit, AAG can assess your current setup, design a label taxonomy that fits your business, and implement DLP policies that protect your data without getting in your people’s way.
The best time to deploy these controls was before a breach.
The second-best time is now.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。