Google have a detailed guide here

We've created a simpler guide with some recommendations below:

1- Navigate to admin.google.com

2- Navigate to Apps> Google Workspace> Gmail

3- Select Compliance from the Options:

scroll down to 'Compliance'
If the status is Not configured yet, point to the setting and click Configure.
If the status is Locally applied or Inherited, click Add another rule.

4- At the top of the page, enter a short description, e.g. Block the sharing of personal data



5- In the Email messages to affect section, Tick Outbound.

6- In the Expressions section, click Add. (add as many expressions as needed):
From the list, select Predefined content match.
From the list, select the relevant predefined detector.
For example, if you want to scan outbound messages for content that includes national insurance numbers, select United Kingdom - National Insurance Number.
(Optional) Set the following options:
Minimum number of matches— we suggest 1 or 2
Confidence threshold— we suggest Medium
Click Save

7- Choose whether you want to modify, reject, or quarantine the message. We suggest Reject and add a rejection notice so the user emailing gets a message.


8- Now add some users that this setting will bypass by clicking the blue ’Show options’ link as screenshot

9- Tick Use address lists to bypass or control application of this setting and select Bypass this setting for specific addresses / domains:
choose to create a list of addresses or use an existing list- add all Office admin users to the list
Under Account types to affect select Users
Click Save - bottom right


Now the rule has been create select which OUs from your OU list to enable the rule- We suggest all OUs
You’ll see the rule is now applied under the ‘Content compliance’ section of the Compliance page