How to Set Up Data Loss Prevention (DLP) in Microsoft 365

Data Loss Prevention — commonly abbreviated to DLP — is one of the most powerful yet underused security features available in Microsoft 365. For UK businesses handling sensitive information, whether that is customer personal data protected under GDPR, financial records subject to FCA regulations, or confidential intellectual property, DLP policies provide an automated safety net that prevents sensitive data from leaving your organisation through email, chat, file sharing, or cloud storage.

Despite its importance, many UK businesses either ignore DLP entirely or implement it so loosely that it provides little practical protection. This guide walks you through the process of setting up effective DLP policies in Microsoft 365, from understanding what DLP can protect against to configuring specific policies for the most common UK business scenarios.

The consequences of failing to protect sensitive data are severe and well-documented. The ICO has issued fines totalling millions of pounds to UK organisations that failed to prevent data breaches, and the reputational damage from a data leak can far exceed the financial penalty. DLP does not eliminate the risk entirely, but it significantly reduces the likelihood of accidental data exposure — which remains the single most common cause of data breaches in UK businesses.

What DLP Actually Does

At its core, DLP is a set of policies that automatically detect and optionally block the transmission of sensitive information. When a user attempts to send an email, share a file via OneDrive or SharePoint, or post a message in Microsoft Teams that contains data matching a DLP policy, the system can take one of several actions: allow the action with no intervention, show the user a warning that they may be sharing sensitive information and ask them to confirm, block the action entirely and notify the user, or block the action and notify both the user and a compliance administrator.

DLP policies identify sensitive information using a combination of pattern matching (such as recognising the format of a National Insurance number, credit card number, or passport number), keyword detection (identifying terms commonly associated with sensitive data), and context analysis (examining the surrounding text to reduce false positives). Microsoft 365 includes over 200 built-in sensitive information types, many of which are specifically designed for UK data formats and regulatory requirements.

Planning Your DLP Policies

Effective DLP implementation starts with planning, not configuration. Before creating any policies, you need to understand what sensitive data your organisation handles, where it resides, how it flows through your systems, and what the regulatory requirements are for protecting it.

For most UK businesses, the sensitive data types that require DLP protection include personal data as defined by GDPR (names combined with addresses, email addresses, phone numbers, National Insurance numbers, dates of birth), financial data (bank account numbers, sort codes, credit card numbers, salary information), health data (medical records, health conditions, NHS numbers), and business-confidential information (trade secrets, pricing strategies, unreleased product information, board minutes).

UK-Specific Sensitive Information Types

Step-by-Step Configuration

With your planning complete, you can now create DLP policies in the Microsoft Purview compliance portal (formerly the Microsoft 365 compliance centre). The following steps walk through creating a policy to protect UK personal data — the most common requirement for UK businesses.

Step 1: Access the compliance portal. Navigate to compliance.microsoft.com and sign in with an account that has compliance administrator permissions. Select "Data loss prevention" from the left navigation, then select "Policies."

Step 2: Create a new policy. Click "Create policy." Microsoft provides several templates specifically designed for UK regulatory requirements. Select "UK Financial Data" or "UK Personally Identifiable Information (PII)" as your starting template, or select "Custom policy" if you need to define your own sensitive information types.

Step 3: Name and describe your policy. Give your policy a clear, descriptive name such as "UK PII Protection - Email and File Sharing" and add a description that explains what the policy protects and why. This documentation is invaluable for audit purposes and for colleagues who manage the policy in future.

Step 4: Choose locations. Select which Microsoft 365 services the policy applies to. For comprehensive protection, enable the policy for Exchange email, SharePoint sites, OneDrive accounts, and Teams chat and channel messages. You can also apply policies to specific users, groups, or sites rather than the entire organisation — useful for a phased rollout.

Step 5: Configure policy rules. Define what the policy should detect and what action it should take. For a UK PII protection policy, configure rules to detect UK National Insurance numbers, UK passport numbers, and combinations of names with addresses, email addresses, or phone numbers. Set the action to "Show policy tip and send notification" for low-volume matches and "Block sharing and send notification" for high-volume matches (which may indicate a data export or breach).

Testing and Tuning Your Policies

The single most important piece of advice for DLP implementation is this: always start in test mode. Microsoft 365 allows you to create DLP policies in "test mode with policy tips" or "test mode without policy tips." This enables you to see what the policy would flag and block without actually preventing users from working. Run each policy in test mode for at least two weeks, reviewing the results daily, before enabling enforcement.

During the testing phase, pay close attention to false positives — legitimate communications that are incorrectly flagged as containing sensitive data. False positives are the biggest threat to DLP adoption because they cause user frustration and erode trust in the system. If users learn that DLP warnings are frequently wrong, they will begin ignoring them entirely, defeating the purpose of the protection.

Tune your policies by adjusting confidence levels, adding exceptions for known legitimate data flows, and refining keyword lists. For example, if your finance team regularly sends legitimate emails containing bank account numbers, you might create an exception that allows members of the finance team to share this data type with specific approved external contacts while maintaining the restriction for all other users.

Monitoring and Incident Response

Once your DLP policies are live, ongoing monitoring is essential. The Microsoft Purview compliance portal provides a DLP dashboard showing policy matches, user overrides, false positive reports, and incident trends. Review this dashboard at least weekly to identify emerging patterns, recurring false positives that need rule adjustments, and potential policy violations that require investigation.

Establish a clear incident response process for DLP alerts. When a DLP policy blocks a high-severity action — such as an attempt to email a large volume of personal data to an external address — someone in your organisation needs to investigate promptly. Was it a legitimate business need that requires a policy exception, or was it an attempted data exfiltration? Having a defined process ensures alerts are investigated consistently and promptly, rather than accumulating unread in a compliance mailbox.

Data Loss Prevention in Microsoft 365 is not a set-and-forget technology. It requires ongoing attention, tuning, and user education to be effective. But when implemented well, it provides a critical layer of protection that helps your organisation comply with GDPR, prevent accidental data breaches, and build a culture of data awareness among your staff.