Blog post: 2 minute read
I’m working with the new Retention classification feature in O365 and was confused when I noticed there were 2 places in the Security and Compliance Center where a Retention policy could be created:
The first one is by going to the Classifications section of the Security & Compliance Center, adding a label and publishing it to a policy. I’ve previously blogged about this here: Label Retention across O365. The screenshot below shows a Contract Policy that has been published using this method. It includes one label, Contract, that has been published to a specific O365 Group. From here, you can add additional labels to this policy or set up conditions to auto-apply it.
The second way to create/publish a policy is by going to the Data governance section of the Security & Compliance Center, clicking Retention and clicking ‘Create‘. I’ve previously blogged about this here: Retention in O365. The new way. The screenshot below is what I see when I go to the Data governance…Retention section. It not only shows the ‘Joanne’s Preservation policy’ retention policy I’ve created in this Retention section but also the Contract Policy created via a label shown above. BOTH policies will show in this list regardless where it was created.
What’s the difference? Here’s what I’ve discovered…
To be clear, these are both retention policies that can be used to apply unified retention/deletion across O365 locations. Why would you want to create one over the other? I’ve found these differences:
- Policies created within the Classification section can be applied by an end-user thru selection of a label whereas policies created within the Data governance section are generally more global in nature and will not be shown as a label that an end-user can select. They will work silently in the background (Preservation hold library) fulfilling the policy retention/disposition rules in the location(s) its been published to.
- A label can only be associated with policies published from the Classification section.
- An end-user will only see retention classification labels in the SharePoint UI – they will not have any indication that a retention policy is in effect for one added via Data governance/Retention.
- Both types of policies can be published to Exchange email, SharePoint sites, OneDrive accounts, and Office 365 groups however a policy created in the Data governance section can also be published to Skype for Business and Exchange public folders.
I found this nuance a bit confusing when I first started working with the new Retention feature in O365 and wondered why there would be two ways of applying a retention policy. It comes down to whether or not you want the end-user to be able to see and apply a label on their content at a granular level or if you want to apply retention at a more global over-arching level. You can have both types of retention policies published to the same location and if that is the case, the principles of retention will determine which policy will be adhered to:
- Retention wins over deletion
- Longest retention period wins
- Explicit inclusion wins over implicit inclusion
- Shortest deletion period wins
Whether you define your retention policies via a classification label or directly thru a retention policy, it will require a lot of forethought and planning with your Information Management team to ensure you have all of your important data covered. It’s a big, messy job but a very important one.
Thanks for reading.