Most SMEs have no data classification in place. Microsoft Purview for SMEs can provide essential tools to address these challenges. Files sit in SharePoint and OneDrive with no labels, no restrictions on sharing, and no visibility into what is leaving the organisation. When someone accidentally shares a client contract via a public link, or emails a spreadsheet of employee salary data to the wrong address, there is nothing in place to prevent it or even flag it.
Microsoft Purview provides sensitivity labels and data loss prevention (DLP) rules inside Microsoft 365. If you have a Business Premium or E3 licence, you already have access to the core features. The problem is that most SMEs never configure them because the documentation is designed for enterprise compliance teams, not for a business with 30 users and no dedicated IT security function.
This article gives you a realistic starter configuration: three sensitivity labels, two DLP rules, and a monthly audit routine that an SME can deploy and maintain without a compliance department.
Three Sensitivity Labels to Start With
Sensitivity labels classify your data by how sensitive it is. Once applied, labels can enforce protections such as encryption, watermarks, and sharing restrictions. Start with three labels. You can add more later, but three covers 90% of SME needs without confusing users.
Public. Content that can be shared externally without restriction. Marketing materials, published blog posts, public-facing documents. No encryption, no restrictions. A footer reading “Public” provides a visual marker.
Internal. Content intended for internal use only. Meeting notes, internal policies, project documents, staff communications. No encryption (this avoids friction), but a footer reading “Internal Use Only” reminds staff not to share externally. This should be the default label applied to all new documents automatically, so nothing is created without classification.
Confidential. Content that would cause harm if shared externally. Client contracts, financial data, employee records, supplier pricing, legal correspondence. Apply encryption so only authorised users can open the file. Add a header and footer reading “Confidential.” Restrict external sharing.
Publish these labels through a label policy in the Purview portal and set “Internal” as the default. Users can upgrade to “Confidential” when needed, but nothing is ever created unlabelled.
Two DLP Rules That Prevent the Worst Outcomes
DLP rules monitor for sensitive information leaving the organisation and either warn the user, block the action, or notify an administrator. Start with two rules that cover the highest-risk scenarios.
Rule 1: Block external sharing of Confidential files. When a user tries to share a file labelled “Confidential” via a public SharePoint link, external email, or OneDrive sharing, the DLP rule blocks the action and shows a policy tip explaining why. This single rule prevents the most common accidental data exposure.
Rule 2: Warn on sensitive data in email. Configure a DLP rule that detects common sensitive data types in outbound email: National Insurance numbers, credit card numbers, and bank account details. Instead of blocking, show a policy tip that asks the user to confirm they intend to send this externally. This catches accidental disclosures without blocking legitimate business communication.
Run both rules in audit mode for the first two weeks. Review the matches, check for false positives, and adjust before switching to enforcement. This avoids disrupting your team with unexpected blocks.
A Monthly Audit Routine
Labels and DLP rules only work if someone checks they are being used correctly. Set a monthly 30-minute review.
Check the data classification dashboard in Purview. How much content is labelled? How much is unlabelled? If the unlabelled percentage is growing, your default label policy may not be applied correctly, or new content is being created outside the scope.
Review DLP incident reports. How many policy matches occurred? Were they genuine risks or false positives? Adjust rules if a specific file type or workflow is generating excessive alerts.
Check for label downgrades. If users are routinely changing files from “Confidential” to “Internal” or “Public,” investigate why. It may indicate the label is being applied too broadly by auto-labelling, or that users are bypassing protections for convenience.
How This Supports Copilot and Compliance
If your business uses or plans to use Microsoft 365 Copilot, sensitivity labels become essential. Copilot surfaces content based on user permissions. Labels add a classification layer that tells Copilot (and DLP) how sensitive that content is, regardless of who has permission to access it.
For compliance, labels provide an auditable record of how data is classified, who accessed it, and what protections were applied. This supports cyber insurance evidence requirements and demonstrates proportionate data handling if a regulator asks.
Make It Part of Your Security Programme
If you have Microsoft 365 Business Premium or E3 and have never configured sensitivity labels or DLP, the features are sitting unused in your subscription. Contact The Unite Group and we will set up your starter labels, configure DLP rules for your environment, publish the label policy, and show your team how to use them, all as part of your managed Microsoft 365 service.