Retention Policies in Office 365
Updated: Nov 22
Data is intangible and can be easily lost. There are many reasons data loss can occur, from simple mis-clicks to sinister network breaches.
Organizations are increasingly facing the issues of data volume and data complexity. This includes data like emails, documents, messages, and more.
What is a retention policy?
Due to the issues of managing high data volume, ensuring data retention is critical for organizations. To make sure that there is organizational data retention, a Office 365 retention policy must be implemented to protect important information from being lost. Retention policies enable organizations to:
Decide proactively whether to retain content, delete content, or retain and then delete the content when needed.
Apply a policy to all content or just content meeting certain conditions, such as items with specific keywords or specific types of sensitive information.
Apply a single policy to the entire organization or specific locations or users.
When data is subject to a retention policy, people can continue to edit and work with the data because the content is retained in place in its original location. The retention policy ensures the content is managed in the background until the timeframe for action has been reached. For example, if an organization has a retention policy for “destroy after 7 years,” this means the content will remain in place and accessible until the 7-year timeframe is reached. At this point the retention action will be taken, and in this case, the data will be destroyed.
An Office 365 retention policy will help you achieve all your data retention goals. Managing content commonly requires two actions:
Retaining content so that it can’t be permanently deleted before the end of the retention period.
Deleting content permanently at the end of the retention period.
Without a robust backup solution, companies expose themselves to a multitude of risks. These include having their data held hostage by ransomware, being noncompliant with industry data retention regulations, and receiving hefty fines as a result of new GDPR laws protecting European citizen data.
Why Do We Need Office 365 Data Retention?
Each organization can have several reasons that will require them to retain certain data for a specific time. Whether it be emails, documents, contracts, etc., data retention is often a tricky subject. There can be many discrepancies in retaining different data, for how long, and what to do with it after the retention period has passed.
Let’s take a look at financial records, for example. You can be obliged by the government to keep all financial records for five years. So, you need to keep all your client contracts, data, and other financial records, as well as all the receipts for office supplies, papers, coffee, etc. We can all agree that you won’t treat all those files the same way, nor give access to them to anyone. You’d want to define a rule to delete all those office supply receipts automatically after the retention period has passed. Also, you’d want to archive all the contracts with critical financial data and define who has access to those documents.
As you have already noticed, data retention sums up to only two actions:
Using these two actions, we can configure retention settings for the following scenarios:
Retain-only : Retain content forever or for a specified period.
Delete-only : Permanently delete content after a specified period.
Retain and then delete : Retain the content for a specified period and then permanently delete it.
The Principles of Retention
In everyday use in your organization, you are most likely to have multiple retention policies in place. In most cases, the same content will have several policies applied simultaneously. Each of those policies can have different retention actions and different retention periods. Don’t worry; things are straightforward with Microsoft’s retention principles. They allow us to determine which policies take precedence over others without worrying about one policy setting overwriting the others.
Office 365 Retention Policies and Retention Labels
Using retention policies and retention labels with retention policies, you can assign your retention settings to your content. You can use just one of these methods or combine them.
We can use a retention policy to assign the same retention settings at a site or mailbox level. To assign retention settings at an item level (folder, email, document), we should use a retention label.
For example, if all emails in the mailbox should be retained for seven years, it is easier to use a retention policy on the entire mailbox than to apply the same retention label on all the emails. But in case we want to keep some of the emails for three years and some for five, then we need to apply retention labels at the item level.
Suppose you move your content to a different location within your M365 tenant. In that case, retention labels will migrate with the content, unlike retention policies that are bounded to content containers and apply only to the content within.
Retention labels have the following capabilities that retention policies do not:
Start the retention period based on the content labelling date, an event date, age of the content, or modification date.
Use trainable classifiers to identify content to label.
Apply a default label for SharePoint documents.
Support disposition review for the content before it is permanently deleted.
Mark the content as a record in the label settings to prove disposition when content is deleted.
Retention policies can be used at the container level and can be applied to services such as:
Microsoft 365 Groups
Skype for Business
Exchange public folder
Teams channel messages
Yammer private messages
The same policy can be applied to multiple locations or a specific set of locations or users. Items located in one of those containers inherit retention settings from their containers specified in the retention policy. If we move an item outside of the container with a retention policy, a copy of that item is retained in the workload’s secured location. It is important to remember that when an item is moved to a new location, retention settings do not travel with it. If you need that, you should use retention labels.