An important M365 design decision is to determine if all information should have a lifecycle, not just records. Research by the Compliance Governance & Oversight Council found that in average, 25% of information has business value, 5% is subject to regulatory record keeping requirements, 2% is subject to legal hold, and 68% is redundant, outdated, and trivial (ROT). Applying retention for non-business and regulatory records will reduce your ROT, which will reduce search results clutter, reduce storage requirements, and reduce your eDiscovery or FOIA costs. Information Governance is therefore the first and important step i the EDRM reference model for effective search, investigations, and eDiscovery.
Before implementing retention for ROT and non-records in M365, you need to ensure that you have a good way to classify and manage records.
Retention for Records
At Infotechtion, we often help clients to modernize their retention requirements into big-bucket retention categories for making it easier for people and machines to select the right retention. Below are two ways - manual and automatic - to do this in M365 for collaborative spaces.
For static and archived sites, we often automate the identification and classification of records.
To learn more about Microsoft Records Management, check out this blog post.
Retention for Non-Records
Some M365 users end up storing important business information in Outlook and OneDrive for Business. If the business consider email and OneDrive personal spaces that the employer can´t access, then this means business information will be lost when the employee leaves the organization. Opening up access to personal spaces to line managers for a specific time period after employees leaves will not fix the issue since line managers are too busy to manually review personal spaces for corporate information. Storing the personal spaces forever after employees leaves will also not work since this usually creates a GDPR problem.
The best approach is often to add retention for personal spaces and educate employees about the importance of storing business information in corporate spaces like SharePoint Online sites or group emails. The key is to get business information out of personal spaces into corporate spaces. Applying retention for personal spaces will provide users with an incentive to store long-term information in long-term corporate spaces.
If you do not have retention enabled for personal spaces and non-records, then we recommend to start with a 3-year retention policy. Once this has matured, then reduce it even more.
The benefits of implementing this:
Get rid of redundant, outdated, and trivial information (ROT)
Reduce storage requirements
Reduce search results clutter
Reduce eDiscovery and FOIA costs
Provide users with an incentive to store long-term information in long-term corporate spaces
Please remember to provide users with 3-6 months warning before implementing non-records retention. This gives users time to clean-up their personal spaces and to move business information over to corporate spaces.
M365 also has compliance features to automatically detect sensitive information stored outside dedicated corporate spaces, e.g., HR sites. This can not only warn or stop users from sending or saving sensitive information like social security numbers, credit card numbers, resumes, etc, but also auto-apply retention and deletion for pre-existing and new sensitive information found in Exchange, SharePoint, and OneDrive for Business. You have machine learning and 200+ out-of-the-box templates available to identify sensitive information - and then auto-apply retention, e.g, auto-delete resumes found outside dedicated HR sites after 6 months.
Feel free to contact us if you need help establishing retention for both records and non-records.