Data Loss Prevention (DLP) for Philippine Businesses: What It Is and Why You Need It Before the NPC Comes Knocking
Personal data leaving your organisation without authorisation is a breach under RA 10173 — the Data Privacy Act of the Philippines. The breach may be malicious (a disgruntled employee sending client records to a competitor), accidental (a staff member emailing a spreadsheet containing SSS numbers to the wrong recipient), or systemic (public sharing settings on cloud files that expose sensitive data to anyone with the link).
Data Loss Prevention (DLP) is the technical control designed to detect and prevent these scenarios. It monitors data in motion (email, file uploads, chat), data at rest (files stored on SharePoint, OneDrive, Google Drive, local drives), and data in use (files being copied to USB drives or printed), and applies policy-based controls — alert the administrator, block the transfer, or require justification from the user.
For Philippine businesses handling employee records, client personal data, financial information, or health data, DLP is a required component of a complete data governance posture.
The Data Leakage Scenarios That Actually Happen
Accidental Email to Wrong Recipient
A finance staff member means to email a payroll summary to their manager but addresses the email incorrectly. The attachment contains SSS numbers, bank account details, and salary information for 200 employees. This is a notifiable personal data breach under NPC guidelines.
Public File Sharing
A staff member saves a client data file to OneDrive and shares it via a "anyone with the link" URL for their own convenience. The link circulates beyond the intended recipient. The file remains publicly accessible until manually revoked.
Unauthorised USB Transfer
An employee leaving the company copies client contact lists, pricing data, or proprietary business information to a USB drive before their last day.
Oversharing in Chat
Sensitive information — passwords, financial data, personal identification numbers — shared in Microsoft Teams channels or Google Chat where the channel membership is broader than intended.
Screenshot and Upload
A staff member screenshots sensitive data on screen and uploads it to a personal cloud service or sends it via personal messaging apps.
DLP cannot prevent every scenario (screenshots are particularly difficult to control), but it addresses the most common and highest-volume leakage vectors.
What DLP Covers: Microsoft Purview
Microsoft Purview Information Protection and DLP is included in Microsoft 365 Business Premium and E3/E5 plans. It provides:
Sensitive Information Types
Microsoft Purview includes pre-built sensitive information type (SIT) detectors for:
- Philippines-specific: Philippine UMID number, SSS number, PhilHealth number, TIN, Philippine passport
- Financial: credit card numbers, bank account numbers, SWIFT codes
- Personal: names + date of birth combinations, email addresses in bulk
- Health: ICD codes, medical record patterns
- General PII patterns: phone numbers, addresses
These detectors use pattern matching and machine learning to identify sensitive content in files, emails, and messages without reading or storing the actual data.
DLP Policies
A DLP policy defines: what sensitive information types to detect, where to look (Exchange email, SharePoint, OneDrive, Teams, endpoint devices), and what action to take when detected.
Example policy — prevent external sharing of employee records:
- Detect: files containing 5+ SSS numbers or payroll data patterns
- Locations: OneDrive, SharePoint
- If shared externally: block the sharing and notify the user
- If emailed externally: display a policy tip to the user; require justification if they override
Example policy — protect client personal data:
- Detect: files containing 10+ Philippine phone numbers or 5+ email addresses + names
- Locations: Exchange email, Teams
- If sent externally to non-whitelisted domains: block and alert administrator
Endpoint DLP
For organisations with Intune-managed Windows 10/11 devices, Endpoint DLP extends policies to:
- USB drives: block or audit copying sensitive files to USB
- Clipboard: monitor copying of sensitive content
- Printer: block printing of sensitive documents
- Cloud upload: block uploading sensitive files to personal cloud services (Google Drive personal, Dropbox, WeTransfer)
- Browser: block pasting sensitive content into web forms
Endpoint DLP requires Microsoft 365 E5 Compliance or the Microsoft 365 E5 add-on licence.
Sensitivity Labels: The Foundation of DLP
DLP works best when combined with sensitivity labels — classifications applied to documents and emails that travel with the content and inform DLP policies.
Typical label hierarchy for a Philippine SME:
| Label | Definition | Protection |
|---|---|---|
| Public | Can be shared freely | No restrictions |
| Internal | For internal use only | Block external email/sharing |
| Confidential | Client data, financial data | Encrypt + restrict to authorised users |
| Highly Confidential | Legal, M&A, executive communications | Encrypt + no external sharing + audit |
Labels can be:
- Manually applied by users when they create or save a document
- Automatically applied when sensitive content is detected (requires M365 E5 or equivalent)
- Recommended to users with a prompt when sensitive content is detected
For Philippine businesses with NPC obligations, a minimum sensitivity label deployment covers Internal, Confidential, and Highly Confidential. Files classified as Confidential or above should have DLP policies that restrict external sharing and email.
Google Workspace DLP
Google Workspace Business Plus and Enterprise plans include DLP capabilities via Google Workspace Data Loss Prevention:
- Gmail DLP: scan outbound email for sensitive content (credit card numbers, SSS number patterns, custom regex)
- Drive DLP (Enterprise): scan files in Google Drive for sensitive content and enforce sharing restrictions
- Chat DLP (Enterprise): detect sensitive content in Google Chat messages
Google's DLP is less feature-rich than Microsoft Purview for endpoint scenarios, but covers the primary email and Drive leakage vectors for Workspace-based organisations.
NPC Compliance Implications
Under RA 10173 and its IRR, personal information controllers are required to:
- Implement organisational, physical, and technical security measures appropriate to the risk
- Conduct a Privacy Impact Assessment (PIA) for high-risk processing activities
- Report personal data breaches to the NPC within 72 hours if they meet notification thresholds
- Maintain records of processing activities
DLP is a technical security measure that demonstrates compliance with the security obligation. Organisations that experience a breach and cannot demonstrate they had reasonable technical controls in place face higher NPC penalties and reputational consequences.
The NPC's 940+ breach notifications in 2025 include many cases where simple DLP controls — blocking external email of sensitive data, restricting public file sharing — would have prevented the breach or significantly reduced its scope.
Implementation Priorities for Philippine SMEs
Starting point (M365 Business Premium or E3):
- Enable Microsoft Purview Information Protection in the Microsoft Purview compliance portal
- Create sensitivity labels: Internal, Confidential, Highly Confidential
- Train users on manual label application
- Deploy a DLP policy: alert administrator when files containing Philippine SSS numbers or large volumes of email addresses are shared externally
- Enable audit logging for SharePoint and OneDrive sharing events
Next phase:
- Add auto-labelling policies for common file patterns
- Extend DLP to Microsoft Teams
- Conduct access review: audit all externally shared SharePoint links
Advanced (M365 E5 or Compliance add-on):
- Deploy Endpoint DLP on Intune-managed devices
- Implement USB drive restrictions for sensitive data
- Connect Purview to third-party applications via API connectors
If your Philippine organisation needs help deploying Microsoft Purview DLP, configuring sensitivity labels, or conducting a data governance assessment, get in touch.
Talk to our Cloud & I.T. team →
