O365 Data Governance and Retention: A Measured Approach

Reading Time: 5 minutes

Blog Post: 3 minute read

Based on the recent numbers shared during the SharePoint Virtual Summit in May 2017, the amount of data inside O365 is growing at a staggering rate (300% increase in the amount of content stored in SharePoint in the past year). For those heavily regulated organizations, Information Management teams within them are looking at these numbers with growing concern. Although it can seem like a daunting task to implement retention and protection for content across all O365 services, there is a measured approach you can take to start you down the path to success.

Remember… starting is way better than standing still. 🙂

The following is my measured approach to get started. Each organization will differ according to their own regulatory and compliance requirements; however, I believe they will all primarily follow the same steps.

The typical teams involved in the process:

  • Information Management (IM) Team – this team is responsible for defining the retention schedule and classification. The retention schedule typically include security, retention and handling controls (can it be shared externally, when should it be destroyed, can it be destroyed?).
  • Information Technology (IT) Team – this is the team that is responsible for understanding and configuring the Security & Compliance features in O365.
  • Change Management (CM) Team – this team communicates the change to the organization based on the impact to the end-user. They provide the business value and “What’s in it for me” answers.

Step 1: Define Classifications

Who: IM Team

What: Define your corporate Information Classifications (Retention) and Protection Classifications (AIP). You will use a corporate retention schedule as a starting point so if you don’t have one of those now is the time to come up with one! It’s important to keep the classifications simple yet detailed enough to meet the protection and retention requirements for the digital assets in your organization. This task is far more difficult and time-consuming than it appears. If you don’t get this right, it could cause the end-user a lot of confusion and frustration (and rogue IT).

Microsoft provides recommendations for AIP labels based on numerous customer engagements they’ve had to accommodate both the data protection aspect and the end-user experience. Look at them to see if they will work for your organization. I’ve blogged about these recommendations here: AIP Labels: Keep it Simple (or KISS)

Microsoft also provides a wizard in the Security & Compliance center to create labels for transitory, work in progress, and Business records for differing retention periods. Although this may not be detailed enough or suit your organization, it is a good place to start.

Step 2: What information do you want to protect?

Who: IM Team

What: Except in the smallest of environments, you likely won’t be able to tackle all content in your organization at one time. This is for a couple of reasons: first, the impact to your end-users would likely be too significant and secondly, the content may be too diverse and varied to confidently set up classifications to address it all. Therefore, you must identify the information you absolutely need to protect. This information is sometimes referred to as a “High Value Asset” as it can have a disproportionate impact on the profitability of your organization if it were to get into the wrong hands. If you can’t do all the content, the high value assets are a very good place to start and is the “crawl, walk, run” measured approach I recommend. Some examples of high value assets: trade secret content, proprietary content, board material, legal matters.

Step 3: Map Classifications to O365 Capabilities

Who: IM and IT Teams

What: Map the classifications defined in Step 1 on the information you’re protecting in Step 2 to the current O365 capabilities.

Example: If you have special retention requirements for Board Material, how will you ensure this is applied?

  • Will you have Board Material isolated in its own site collection? web? library?
  • Will you use a label or will you define the retention as a global over-arching policy for all content on a Board Site Collection?
  • If you choose to use a label, will the Board Material be manually labeled? Will it be automatically labeled?


Step 4: Adjust the Plan (Unless of course you get it right the first time) 😉

Who: IM Team and IT Teams

What: Adjust the plan if it isn’t mapping to the current feature set (keeping within regulatory requirements)

  • Perhaps your Information Management team will discover they cannot translate their entire Retention schedule into the capabilities currently available in the Security & Compliance Center in O365. How will you address this gap? Will you wait for more robust capabilities to be introduced? Will you look to a third-party solution? Will you write custom code to deliver the requirement? Will you simplify the retention schedule?
  • Perhaps in testing you discover the auto-application of protection (either AIP or Retention) isn’t working quite like you thought it would. Maybe you have an AIP policy being applied to prevent external sharing of certain documents with customer information in them. If end-users are reporting false-positives on the rule, you will need to adjust. This is the reason it is so important to either test your rules first or at the very least use recommendations that allow end-user overrides to test the accuracy of your rules.


Step 5: Communicate to End Users

Who: CM Team

What: Once you’re reasonably confident you have well-defined policies, you need to communicate the classifications for both Information Classification (Retention) and Protection Classification (AIP) to the end-users. Due to the potential end-user impact, I recommend this task be done by the Change Management team in your organization.

  • How end-users react to the new world of classifications is where the “rubber hits the road” and, if not done successfully, also where things start to fall apart. Unless your end-users understand the classification system, and use it without it significantly impacting their work processes, the grand plan your IM team has for classification and protection in your organization may fall apart. What we don’t want to have happen is unsanctioned IT services being used to accomplish the tasks an end-user otherwise would have done in O365. Therefore, it is very important to keep things as simple as the requirements will allow and automate what you can.



Step 6: Repeat

Who: All

What: Remember the measured approach of “Crawl, Walk, Run” we talked about back in step 2? We want to move beyond the High Value Assets in our organizations and start working with other types of content requiring protection across O365. This is why we will iteratively repeat this process to cover more information assets as well as to take advantage of any new Capabilities that may have been introduced in O365 in the Security and Compliance Center. The IM and IT teams should keep an eye on these features and decide which ones will be beneficial for your organization.

Well there you have it – my measured approach to tackling this “bear of a problem”. With more organizations moving to Office 365 and the dramatic increase in content being stored there, this is something many of us will be involved in to help set organizations up for “regulatory and compliance” success. How is your organization approaching this? I’d love to hear!

Thanks for reading!


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.