Records Management in SharePoint Online - Planning
Updated: Sep 6, 2020
The records management capabilities of SharePoint Online with record labels has now become mature enough to meet the records management requirements of most large enterprises. Let me give you two examples:
One of our global clients operating in a highly regulated industry with almost 40,000 users assessed several of the leading content management systems for the best approach to manage documents and records in M365 and beyond. M365 E5 Information Protection & Governance was the clear winner as it was native and the most integrated of all the solutions. This allows for “compliance by design” to embed compliance into the Microsoft cloud platform. Users continue to work with information (e.g. tag a file as an NDA, business workflows), and the M365 E5 Information Protection & Governance provides compliance by applying the right retention and disposition automatically. This automates records management with SharePoint Online and record labels.
Another global client highly with over 80,000 users has already come to this conclusion. M365 is the new corporate content and records management system. They have now replaced both OpenText and HP with M365 – which has improved access and significantly reduced their operating costs. As an example, the annual cost of a leading content management system for 2,000 staff often costs more than M365 E5 Information Protection & Governance for 20,000 staff.
Records management in SharePoint Online rely on retention labels to create record labels, but this requires now the M365 E5 or E5 Information Protection & Governance add-on license. Once a record label has been applied, the record can´t be changed or deleted, but metadata can be changed over the record lifecycle to accommodate new record owners, security classification, etc. A retention label can be applied manually by users, automatically when storing files in libraries with a default label, or automatically based on keywords, metadata, and machine learning.
It is important that you plan this well before you start implementing record labels. If you just start creating record labels for your organization, you may soon regret this since record labels can´t be deleted once created, and users may get too many record labels to choose from. Below are therefore some questions for planning records management with SharePoint Online and record labels.
What are your classification requirements for records? Many enterprises will need to know the business area, country, process, security classification, etc. for records. This is then best done using metadata, not record labels. You need then a proper metadata model with master data values, and SharePoint site provisioning (e.g. using PnP) or SharePoint self-service site configuration (e.g. Site Design with Logic App) to set default metadata on sites that all documents and records inherent. Users can then manually apply record labels, or you use keywords and metadata to automatically apply record labels to automate records management in SharePoint Online.
How will users classify records? Many enterprises require users to manually apply the correct record label, but you limit their label options by only publishing relevant record labels to the specific sites (e.g. HR record labels to HR sites). Another option is to rely on metadata, - users then describe what they are working by setting document type as metadata - and change document status to final when ready - and label policies then auto-apply the correct record label. This last approach improves search while automating records management with SharePoint Online and record labels.
Do you need to ensure WORM compliance? SharePoint site owners have the right to remove a record label to correct errors, e.g. a user applied the wrong record label. If you want to remove this ability to ensure WORM compliance, then you have to set up SharePoint site provisioning for users with no local SharePoint site owner.
What are your access requirements for records? M365 users will only be able to find documents and records that they have access to, but your compliance team can use content search in the Compliance Center to find records across your M365 tenant. If some users should be able to find all records in an area, then an access group for this needs to be added during site creation. If you want to strictly control access, then you have to set up SharePoint site provisioning for users with no local SharePoint site owner.
Do you have different retention schedules for the same record types? We usually recommend to set your corporate retention schedules to meet your toughest local requirements, e.g. if financial records needs to be kept minimum 10 years in the EU, and 7 years in the US, make then 10 years your corporate retention requirement. If this is not possible, then you need to be able to publish specific record labels to specific SharePoint sites to meet local record management requirements.
Do you have a lot of event-based retention requirements? Event-based retention requires users to add unique metadata to identify the relevant records, e.g. employee number, agreement number, and triggers to be established to start the retention, e.g. employee leaving your organization, agreement has expired. Try instead to rely on date-based retention based on information lifespan to make it easier for users. If you still require event-based retention, try then to make it mandatory for for users in relevant sites to add the unique identifiers, and automate triggers from 3rd party systems.
Do you require disposition reviews? A manual review may make sense for Iron Mountain boxes, but not individual records. As an example, 10% disposition reviews of 10 mill records with each review taking 15 minutes, is 31,250 days. Do automatic disposition for records that can’t be kept permanent. If you have records that require disposition review, then set this up in the M365 Compliance Center with a process to provide this to the business.
Do you have records that are frequently replaced with new versions? Some records like Standard Operating Procedures are often replaced with newer versions, and it is important that users always find the latest version and that hyperlinks still work. Advanced Record Versioning allow users to create new versions of a record without impacting the retention of the old version - and for ensuring search and hyperlinks always takes users to the latest version.
Do you have a lot of documents in pre-existing SharePoint Online sites that should be declared as records? Many enterprises started to use M365 without setting up the required information governance. If you have a lot of documents in pre-existing SharePoint Online sites that should be declared as records, consider then the following options: A) Use new machine learning to auto-apply record labels to unclassified records; B) Use script to set default metadata on pre-existing SharePoint sites that require users to set document type and document status next time opening the record. Use this metadata to auto-apply a record label to automate records management with SharePoint Online.
Should you migrate records from existing records management solution to SharePoint Online? Migration may make it a lot easier for users to find all relevant records, and the savings from replacing legacy content management solutions will often cover the costs of the M365 E5 Information Protection & Governance add-on license. If you do, check then if you require metadata mapping from old to new system, ensure access control is optimal from old to new system, and if your migration partner can apply a record label during migration without changing the record declaration date.
How many record labels will you end up with in 5-10 years? Many retention schedules and disposition rules will often require many record labels. Exposing users to lots of record labels will be label overload. We recommend two ways to address this: A) Site provisioning that include publishing relevant labels, e.g. HR site gets only HR record labels for users to manually apply to files; B) Self-service site configuration which relay on metadata to automate records management in SharePoint Online. Users then set metadata such as HR file and document status to final for a record label to be auto-applied based on a retention policy.
Feel free to contact us if you need help setting this up for your company. You may also find the following blog posts of interest: