Please enjoy this blog post authored by Ben Hubble, Records Management & Legal Tech Ops Legal Dept, The Wendy’s Company
Before you have your M365 environment retaining and deleting data like a well-oiled machine, there are a few things to do first. Step one, find out what type of M365 license your organization has. This is vital because only the E5 license will give you all the tools needed to create the data management settings discussed below.
Some functionality might be available in an E3 license, depending on what a la carte items might have been added on. Find your licensing liaison and make sure you have access to MS Purview (fka MS Information Protection), where all the data management capabilities of M365 are housed.
The next step is to make sure you have been provisioned with the requisite access. For this, find your organization’s M365 global admin and make sure your M365 ID has the admin credentials necessary to not only access MS Purview but to use it as well. M365 roles vary by organization, so finding the right person is critical.
The last step before getting started is to identify what data in M365 you want to govern and make sure your organization has defined how long each data type is to be kept. This is usually done as part of a retention schedule. If you do not have a retention schedule, now is the time to establish one before you start auto-deleting data. Two tips for creating, or updating, a retention schedule – 1) focus on the highest priority business functions and information types that require more formal management (e.g., contracts, financial statements, personnel records, compliance documentation) and 2) try to organize the schedule into big buckets. You do not want a different retention period for every data type, the simpler it is the easier implementation will be.
Alright, now that you have the license, admin rights, & a retention schedule in hand, you are ready to rock! As mentioned, MS Purview is where you want to navigate to to start creating data management settings to retain data, delete data, or retain and delete data. These retention settings come in two forms – policies and labels. Retention policies are used to govern the same setting for all content (e.g., an Exchange mailbox or a SharePoint site) whereas a retention label is used to govern settings at the item level (e.g., a folder, a document, or an email).
Both policies and labels can be applied to Exchange email, SharePoint, OneDrive, and M365 Groups. However, only policies can be used to manage Teams data. Labels do not work in Teams (as of this time, with any cloud-based software, features and functionality is always changing). Using your retention schedule, create policies to govern your various containers of data and labels to govern more of the individual content. Once the policies and labels are created, they are published and can be made available to end users and/or applied automatically to your M365 environment.
While this is a high-level overview of the process and its capabilities, and I encourage you to further explore the topic before proceeding (especially via MS help section – learn.microsoft.com), there are a few things you should be aware of. First, items stored in a container that has a retention policy applied to it will inherit the container’s retention policy. If the item is moved outside of the container, a copy will be maintained by that container (in its secured location, which varies by application). Note that the retention policy does not travel with the item to its new container, for that you would want to use a retention label. Second, only one label can be applied to an item at a time, but a policy can be used in combination with a label to complement each other. The best example of this is when data needs to be preserved for a legal hold. As you all know, hopefully, the number one rule of retention is that a legal hold ALWAYS trumps retention!
Say you have data on a OneDrive site that is subject to a legal hold and have implemented a policy that keeps OneDrive items for five years and then deletes them. You could move the data relevant to the hold into one folder within the OneDrive site and apply an indefinite retention label to that folder. Once the hold is lifted, remove the label and the five-year policy will delete anything that is eligible, bringing the site back into compliance with your retention schedule. The third item to be aware of is the “Principles of Retention.”
This is the order in which various settings take precedence over others when being applied to the same data: 1) Retention over deletion (if there is a retention policy and a deletion policy , retention wins), 2) longest retention wins, 3) explicit deletion over implicit deletion (if the setting explicitly deletes the data, like a label, it will win over a setting that implies deletion, such as inherited via a policy), and 4) shortest deletion wins. Finally, be aware of the logistics of how retention policies and labels work and bake it into your process. Data that is auto deleted is not recoverable. Depending on your global M365 environment settings, it may be recoverable for a short period of time, but typically no longer than 15 days. On the other hand, it can take up to seven days for a retention label or policy to be applied to the relevant data. It usually happens much faster, but you should plan for worst case scenario.
Again, this is an introduction to the capabilities available to you. Use it as a starting point and do your homework before jumping in and auto deleting all your boss’ mail! I can be reached at email@example.com with any questions.