In today’s episode of #O365 Hours, we’re joined by Microsoft 365 and Compliance Consultant Joanne Klein to discuss a few important principles of retention within M365. Watch our discussion below or read the full transcript at your convenience!
Guest: Joanne Klein, Office Apps and Services MVP (read her blog here)
- What does records retention look like in Microsoft 365, and why is it important to your overall governance strategy?
- People always want to know where to get started. What are all of the things you need to understand before you even get started with retention?
- Why is it so important to understand the principles of retention?
CB: Hello and welcome to another office. 365 hours. My name is Christian Buckley. I’m the Microsoft go-to-market director at app point and a Microsoft MVP and regional director. And I’m joined today by Joanne Klein, a fellow office apps and services MVP who’s also an independent consultant and the founder of NexNovus and an expert in compliance and information architecture. Good morning, Joanne.
JK: Good morning Christian. Thanks for having me on the show today. It’s great to be here as always.
CB: Like your setup there. I can see myself on your screen. It’s a nice feature to have.
Well, today we’re discussing the topic of the Microsoft 365 principles of retention. So, you know, compliance of retention and the life cycle of content, of course, is a very popular topic, and a lot of people have questions about that. You’ve been writing a lot on the topic lately. So I’ve been following your series, and you’ve been walking your readers through key retention scenarios. But why don’t we start our discussion here with the basics? So what does records retention look like inside of Microsoft 365? And why is it important to your overall governance strategy?
JK: A great question, and really where most organizations need to start when they get into this space. It’s a way an organization can meet its compliance obligations. They could be in regulatory, legal governance; what kind of business requirements do you have in those spaces? What are those rules, policies, guidelines, and how are you going to be compliant with?
So that’s an overarching 5,000-foot view of what it is. And then, you know, pretty soon you’ve got to dig into the details and see, okay, how are we going to implement this on Microsoft 365? And that’s where my blog series talking about the principles of retention comes in. It’s perhaps a dry and boring subject, but uber important because it, in fact, is what makes you compliant. It will guarantee you’re keeping a piece of content for as long as you say you should and deleting it as soon as you are supposed to. So, you know, sounds pretty simple, but once you get into the weeds, it can get complicated pretty fast.
CB: You know, it’s an important lesson I learned actually back before my tech career. At the end of my teen years, I became a runner for a law firm. And so I learned the importance of running through some scenarios in our law firm where we had not properly retained some important documents. And so I kind of took that over, got into tech and learned about that, and became very sensitive to and aware of what the lifecycle is. And equally important to making sure important documents are there when they’ve exceeded that lifecycle was making sure that they are destroyed in this case for the law firm on time. It would actually become a compliance issue to still have the records after that period.
JK: Yes, and I mean, people in the compliance space understand that, but you know, information workers at large across your organization, a lot of them don’t know that. They’re used to hoarding content maybe on their local machine or on a network drive. And even in SharePoint and One Drive, unless you have some retention controls forever, you know, Nope, no harm keeping it forever, but in fact, it can be harmful if you keep the wrong kinds of content forever. That’s not to also say it can cause a problem with, with you know, searching and finding content. But if we’re looking just at it from a compliance perspective, it can be a problem if you don’t get rid of some content when you’re supposed to.
CB: Right. It’s especially, again, part of that, that search experience, not just bloating up the search experience, but, but then you have problems potentially with then the multiple versions that are there and it can be confused, confusing, and people are using the wrong Virgin those things. So it’s part of that, that cleaning process, maybe that’s the next, that’s a great next place to go is. Cause people are always asking that question of like, where do I get started? So what are all the things that people need to understand even before they get started with their formal retention policies?
JK: Yeah. That’s a great question. And I call these the essentials of digging in and understanding this, and this can be a number of teams depending on the size of your organization, typically, and the industry and how regulated you are. Information management records, management, risk compliance teams, as well as if you have it teams helping with the configuration of these, it helps for everybody to have a meeting of the minds on some things, even before you get down to the principles of retention.
So I always like to start with the naming of things is important and causes confusion. If you’re not familiar with it and I’ll use the word retention policy. In fact, a retention policy doesn’t have to retain at all. It can actually be configured to just delete something after a period of time, but it’s still called a retention policy.
So getting a base level understanding of what things are called inside Microsoft 365 and what that means and what the options are. So that’s thing one I always talk about. And usually there’s some eyes that open on, oh, I didn’t realize you could have a retention policy that was only configured to delete things after two years. Often what I see on teams, chat messages, by the way, a retention policy to do that. And the next is understanding what the differences in capabilities are between a retention policy, something you publish at a container level, like a one drive site or a SharePoint site, or an exchange mailbox versus a retention label, which is something aligns usually with an organization file plan or retention schedule. It’s those more targeted retention scenarios to identify those key critical business records in your organization’s contract invoices, that kind of thing.
So they can be applied at a very granular item level. So at an email at a file document inside SharePoint. So understanding the interplay of those two and knowing that they can both a retention policy and a retention label be published to the same location, meaning an item has now two different retention mechanisms in effect for it, which is where the principles of retention come into play. How long are we going to keep retaining and/or deleting that piece of content? And then there are different kinds of retention labels. Once you get into that many ways to apply a retention label can always be done manually. Not that scalable, not the first choice for most organizations, it can be defaulted or there’s a myriad of ways you can auto-apply it, you know based on a number of conditions to set it automatically and then scoping your retention policy and label policy is another layer that you need to understand.
Are you manually putting in all the sites that our retention policies apply to? Does it apply to everything? Are you excluding some sites? This is where the new capability from Microsoft that’s currently in private preview on adaptive policies comes into play. It’s, it’s doing it on an attribute-based model, which is more, more scalable. You don’t have to have specific inclusions and exclusions. So those are five things I just talked about. It’s absolutely essential to have a solid understanding of those two at least at a base level before getting into the principles of retention. So there’s a lot there.
CB: Right, there’s a lot there, and I know that a great place for organizations to start and start thinking about it. Yeah. What are some of the gaps that you see when you talk with clients? I mean, are there, are there aspects of that, that, that they really haven’t been thinking about that you see again and again, do you see patterns?
JK: Yeah, I, I will say as you know, in Microsoft 365, things change fast, lots of different collaboration options for users and where I see a lot of organizations struggling is trying to determine where are our business records stored? It’s, you know, traditionally kind of in the legacy world, they were mostly an email. So now we’ve also got records stored in SharePoint, in one drive. What about teams chats and channel conversations? Are you making a business decision in there that wouldn’t be considered a business record? I had somebody asked just last week to pull the results from a Teams event meeting; that’s a business record. If you’re making a business decision based on the results of a pool, for instance, you need to somehow be able to maybe export that and capture it and mark it as a record. So the world of compliance and records management is getting more complicated by the day, simply because of the environment that we’re living in inside Microsoft 365.
CB: Yeah. That’s my experience as well. But yeah, I think you nailed it talk and I was going to bring up you and mentioned it earlier about the chats and the threaded conversations that are happening that side of it, even video, to some extent, these are all information assets, you can’t go off of your 15, 20 years ago, view of information, architecture and management of these, of these, these contents that you have those. And I mean, there’s, Microsoft is increasingly talking about over in the Veeva world and with Dynamics 365 about the flow of work, and the fact that you now have this other line of business applications that are seamlessly being added into those conversations, which then makes it even more complex, which means that your strategy needs to encompass all of these other systems and components.
JK: Yes. I’ve worked with some fairly large regulatory bodies and they are all going through an analysis of their current regulation as it’s written. And trying to, my word not theirs modernize it for the modern, the modern digital workplace because organizations have to comply with their regulation. Many of these regulations were written in, sorry to say, a simpler time in a simpler world where you really only had to worry about conversations inside an exchange mailbox.
Well, that’s no longer the case. So, you know, what, how are we going to word these regulations such that companies needed to comply could actually be compliant with them. So it’s a bit of a partnership going on and regulatory bodies realize that we’re living in a different time now. So they’re trying to kind of be in lockstep with and of course they have to be technology agnostic, but because my focus is, is on Microsoft tooling. I’m always looking to see how we can kind of work together on being compliant, basically.
CB: Well, we’ll talk to you about the changes, the evolution of the technology. Both of us come from the SharePoint world, that side of things, that perspective when I kind of got involved with SharePoint back in 2005 and the time I was at Microsoft and even, you know, for, a few years there, one of the major focuses of compliance and retention was moving paper documents into the digital real realm and that side of it, and making sure that it was an easier process. Hopefully there aren’t as many paper and digital versions of the same things and trying to essentially track and manage two separate systems. I’m sure there are still a lot of larger organizations that have. Yeah. And so having almost separate policies for each of those and then moving that over to the digital world, but, you know, I mean, how much of that are you still seeing,
JK: Oh, there’s still don’t kid yourself. There is still a lot of paper out there. You know, organizations see the problem with that model. And I think maybe tackling those big very critical business processes that might still have paper involved in them get those digitized, you know, and SharePoint Syntex comes into mind on how we can incorporate this legacy paper-based process we once used to have and make it digital. And, you know, Syntex thankfully is bringing in some of those protection and retention controls because you can apply a sensitivity label and a retention label at a syntax model. But it’s, you know, that that is a critical business process. You’re not going to deploy SharePoint syntax likely across every library in your environment, for sure. But it is kind of, a good use case for that. I was going to say records managers that are a very well-established knowledge domain.
They’ve been around for a very long time. They are themselves going through a bit of a metamorphosis, I would say in moving from just focusing mostly on the compliance and risk aspect to realizing they need to move beyond that. And they need to work with the business to help digitize some of those paper-based processes that have, you know, plagued organizations for decades. And how can we get that into the modern world and still kind of bring that under the records management bold.
So, I think their world is changing as well. They have to because what they once used to do that was acceptable or worked in the paper-based world just simply will not work now. And we need information workers to be on board and to be you know, good corporate citizens when it comes to helping be compliant in the organization, it’s somehow seemed easier in the paper-based world.
CB: It’s certainly within where it fits in the organization, a very reactive part of the organization, meaning that information workers out there are creating asset artifacts. And it was a secondary process that we’ll handoff and they’ll do whatever they need to do compliance standpoint. And so that’s one of the major shifts in the way that we’re looking at this at compliance and records management, is that it should be in because the reality is that the more processes that you put in front of people, the more steps that they have to complete to get the work done, the less likely they are to adopt.
The idea there is that you fit these important processes, the tooling, and steps into the natural way people work so that it becomes less of an effort. And yet we could stay on top of all these things. It needs to be recorded. Management needs to be at the forefront of that creation that from the provisioning of a site to the creation of the artifacts, you can do it in a controlled way that becomes effortless or invisible other than the action of saving something. And it’s requiring a naming convention. And it’s asking me for a couple of attributes or things to implement as a user. But the rest of it is all based on where I save it. It automatically applies labels and certain areas, certain permissions, it’s doing that in an automated fashion.
So, again, it doesn’t happen out of the box. Organizations need to think it through, and it’s an ongoing thing. That’s what governance is. It’s ongoing, it’s a conversation that needs to happen. And as we see within this space, there’s so much activity that’s happening in this space and VPs that are being hired by Microsoft. I know you work with Microsoft a lot and provide guidance and feedback from customer experience as well, but there’s a lot of thinking that’s happening about incorporating all of this into that flow of work.
JK: Very much so. I can’t stress enough how important it is and how complex it can be. Don’t kid yourself, this is not something where you can put your heads together and solve in the next couple of months. It’s an ongoing endeavor and requires an extraordinary amount of thoughtful planning on how you are going to roll out these capabilities. Automation is your friend in this space. Although it’s important for information workers to understand how to be compliant. They’re still not records managers at the end of the day. They, they need to get their job done and it has nothing to do with records management.
So that’s where these automation capabilities come into play. What kind of controls are we going to interject into that provisioning solution to help? So default your end users to doing the right thing. It’s easier said than done, but you just have to be aware of all of these things available to you, which are licensed to help you along the way.
CB: I know you’ve kind of already answered a good portion of my last question about why it’s important to understand the principles of retention. So is there anything you would add to that, or why it’s important?
JK: Well, it, at the end of the day, it’s important to understand them. So you can have an, I would say an authoritative understanding of them. You can confidently project when a piece of content is going to be permanently deleted. And the reason that’s important is to be compliant with the obligations that you have as an organization; regulatory, legal, et cetera. So that’s why it’s critical. You can of course test this in a demo environment or a test SharePoint site which is basically what my six-part blog series was doing.
I set up sites with all of the different scenarios to test it and to end, that’s a great idea. It tests out your theory. I mean, you do shorter retention periods of course. But it’s also a great learning opportunity. For some of these things, it’s best if you can see it from end to end with your own eyes. So, you know, because if you get audited, there’s a compliance audit, let’s say you need to be able to be confident that yes, we, we got rid of that after two years. We don’t have it. And if you do any discovery, in fact, you don’t want to find it. So yeah, that, that’s why it’s important to my recommendations for understanding it better.
CB: Well, it’s a lot for any customer that’s out there. They can go. And Microsoft provides you the demo environments to be able to go and build that have all the various profiles. So you can test out these things without touching your production system. I know that’s always a concern yeah. Or just go and pay for and have a permanent dedicated you’re just for demo to experiment, have another tech that’s out there that’s separate from your environment, but yeah, that’s a good practice in general.
JK: It is for sure. And for education as well as just making sure you’re about to do the right thing because you can affect a lot of content with some of these policies. You can imagine, particularly if they have a deletion component to them.
CB: Well, I know there’s a lot, there’s a lot more, we could go in and talk about you know, in dig details, but I think this is a great overview for people to get started with. And so I want to thank you once again, Joanne, for joining me. Bye, everyone.