What are the best practices to be followed when implementing the sensitivity label?

• Sensitivity labels are used to classify and protect data. Here are some best practices when implementing them:

1. Define a clear label taxonomy by starting with an intuitive structure like Public, Internal, Confidential and Highly Confidential.
2. Let Microsoft Purview automatically detect sensitive information (e.g., credit card numbers, passport numbers), and base your labels on these classifications.
3. Enable auto-labeling policies wherever applicable.

For reference - 1. Sensitivity Label Overview, 2. Labelling Best Practices

Who will provide the persona to create the sensitivity label? Is it something I should ask the requirement provider/requester or, do I need to go via MSFT best practice document and create the sensitivity label?

• The sensitivity label should ideally be defined by your security or compliance team. However, it's important to collaborate with requirement provider/requester to understand the business context and data sensitivity involved in your specific use case (e.g., OneDrive).

  If your organization does not yet have a formal labeling policy, then you can refer to and follow Microsoft’s best practice documentation to define a suitable sensitivity labeling framework.

For reference - 1. Get started with sensitivity labels, 2. Creat and configure labels

Is creating a sensitivity label a part of "data discovery and classification"?

• Not directly, but it's closely related. Classification results to decide when and where to apply sensitivity labels.

  Data discovery and classification is about Scanning data sources like OneDrive, automatically detecting sensitive information and Tagging data based on built-in classification rules.

  While Sensitivity labels are part of Microsoft Purview Information Protection, used to protect and govern the data (e.g., encryption, access restriction)

Step-by-Step approach in your case:

• Since you're starting with OneDrive:

  1. Use the Microsoft 365 connector to register OneDrive as a data source.
  2. Run a scan and classify the data, use built-in classification rules to detect sensitive info types.
  3. Review the classification results, analyze scan outcomes to see what sensitive data was detected in OneDrive.
  4. Define and publish sensitivity labels
  5. Create & apply label policies (you can also use Auto-labelling)