Data loss prevention (DLP) policies help you govern the sensitive information managed in your Power BI tenant and comply with governmental or industry regulations, such as GDPR (the European Union’s General Data Protection Regulation). Earlier this year, we announced the release of DLP policies for Power BI to public preview.
We’ve seen impressive results with DLP policies in Power BI, with tenants scanning tens of thousands of datasets per day, and more. DLP policies provide you with an automatic solution to govern sensitive business data in your Power BI tenant, at scale.
We’re happy to share with you two significant enhancements to DLP policies in Power BI:
- CPU metering for DLP policy evaluation
- Overriding policy tips and reporting false positives
Introducing CPU metering for DLP policy evaluation
Today, you can set up DLP policies in your organization that will automatically detect uploading of sensitive information or of data with a specific sensitivity label to “import datasets” into workspaces associated with your Gen2 Premium capacities.
When a dataset is evaluated by the policy, it is scanned for sensitive information types or sensitivity labels, according to the policy conditions configured in Microsoft Purview compliance portal. This evaluation is triggered in one of the following data upload scenarios: Publish, Republish, On-demand refresh and Scheduled refresh.
With each of these actions, Power BI will evaluate the dataset to determine if it contains sensitive information or not. This process utilizes CPU from the premium capacity associated with the workspace the evaluated dataset resides in. The CPU consumption of the evaluation will be equal to 30% of the CPU consumed by the refresh action that triggered the evaluation. For example, if a refresh action costs 30 milliseconds of CPU, then the DLP scan will cost an additional 9 milliseconds. The fixed 30% additional CPU consumption for the DLP evaluation can help you predict the impact of DLP policies on your overall Capacity CPU utilization, and perform capacity planning when rolling out DLP policies in your organization.
*To clarify, there is no additional CPU metering due to DLP evaluation for Premium Per User workspaces, as they are not associated to Premium capacities.
To see the CPU usage of your data loss prevention policies, go to the “Power BI Premium Capacity Metrics App”. For more information visit Monitor Power BI Premium capacities with the Premium Capacity Metrics app. – Power BI | Microsoft Docs
Override policy tips and report false positives
We’re introducing the ability for Power BI users to give feedback on the policy rules evaluating their datasets. This will enable them to provide insight on the datasets met with rules defined by the Security Admins in Microsoft Purview Compliance Portal, and help create a built-in line of communication to ensure smooth operation on both teams.
In the dataset’s detail page, you will now be able to see all the policy rules that have been matched for this dataset. By clicking on the “view all” in the top yellow banner, you will open a side panel with a card representing each and every rule. On top of viewing all the matched rules, data owners will be able to take action if they believe the data was falsely identified.
Based on how the policy rule was configured, you will be able to see one or a combination of these actions:
- Report an issue: Report the issue as a false positive (meaning that the policy has mistakenly identified non-sensitive data as sensitive, for example).
- Override: Override the policy. Overriding a policy means that this policy will no longer evaluate this particular dataset. Depending on the policy configuration, you may be required to provide a justification for the override.
- Report and override: Report the issue as a false positive and override the policy.
For more information, see Data loss prevention policies for Power BI.