This Google Cloud Platform security best practice is part of the Data Protection security domain.
Procedures for labeling, handling, and protecting the confidentiality and integrity of personal information, test data, production data, and data involved in online transactions to prevent contract dispute and compromise of data shall be established. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data.
Areas where potential information leakage can occur shall be identified, and appropriate controls to mitigate it shall be implemented.
Customers can use Cloud DLP API to better understand and manage sensitive data. It provides fast, scalable classification and redaction for sensitive data elements, like credit card numbers, names, social security numbers, US and selected international identifier numbers, phone numbers, and GCP credentials. VPC service controls and org note policies can be used too.