Why Don’t You Have a Retention Policy In Place Yet?Alex Fields
Most SMBs I consult with have never configured a retention policy, or indeed, they are not even aware of the retention capabilities in Microsoft 365. In general, Information Governance is one of those areas that simply does not get the attention that it deserves, especially in the small business market.
But this is not something which should be ignored. In fact, I can name three big reasons why you should care about information governance and implementing a proper retention strategy:
- You may be required to comply with laws related to certain types of information (e.g., PII, ePHI, PCI, etc.). If not today, probably someday soon.
- You may want to reduce your overall risk in the event of litigation or a security breach by permanently deleting content that you are no longer required to keep.
- By removing data that no longer serves the business, you can reduce clutter and improve search results, making it easier to find the most current and relevant information.
Therefore, every business can benefit from some basic information governance.
If you are like most of my customers, then even once you acknowledge the need for a retention strategy, you still have no idea where to start. And unfortunately, there is no simple script or best practices guidance which is universally applicable to every business; it depends on the laws and regulations to which the organization is subject, plus there may be internal considerations as well.
To begin, I suggest that you narrow down your focus to answering just one question for your organization: How long should we keep email data?
Addressing Compliance Concerns
Many businesses these days are required to preserve at least some email records. Here in the U.S., requirements vary greatly depending on your industry. For example, orgs regulated by the Financial Industry Regulatory Authority (FINRA) have to comply with many different rules and requirements, including SEC rule 17a-4(f) as well as FINRA rule 4511(c). If your business falls under this umbrella, then you may be keeping email records for up to six years!
While larger sized Enterprises can have extremely complicated compliance requirements across different business units and various record types, in the Small Business the story is quite different. In this case you may run a slight risk of “over-protecting” some record types even as you comply with the laws regulating those types which are most important. But it is not usually possible to get super granular and manage every individual piece of data in this market segment: the SMB simply does not have the resources or budget to attend to that level of detail. Therefore, we normally create a single blanket policy for the organization as a whole which matches their broadest criteria or requirement for compliance.
The legal liability angle
But even if you are not subject to specific compliance requirements by law, many organizations will choose to implement a minimum retention period anyway. If for no other reason than to gain the benefit of features like Inactive mailboxes (which will allow you to either restore or recover deleted mailboxes within the retention period), and also to limit liability in the case of a breach event or litigation.
In fact, email records are probably the number one type of electronic record that is regularly subpoenaed for litigation today. Speak with any attorney on this subject, and they will likely agree: historical email data is toxic to an organization. Not because organizations necessarily have things to hide, but simply because there is so much information in email which could potentially become damaging in a litigation scenario (plus it is more expensive to pay attorneys to pour over larger volumes of email records).
Small business owners will often say stuff to me like: “Well, I run my business 100% above board, so why wouldn’t I preserve all my information so that I can prove myself innocent in court if necessary?”
No offense to you if something like the above was your first instinct, but this is a very naïve position. Generally speaking, this isn’t how lawyers think. When you get sued, the plaintiff’s attorney is not interested in finding out if you’re one of the “good guys.” Their goal is to get money for their client. And they do not care if they have to take words out of context or twist and manipulate the facts to tell their own version of a story in order to sway a judge or a jury.
Consult with your own legal counsel, of course, but usually I find they will advise you to keep as little email data as possible (just to be clear, do not let this statement stand in for getting your own legal advice). I am just reporting from my experience the path many others have taken: after you determine how long your business is required to keep email data, then generally you will eliminate everything else.
Limitations and supplements
A retention policy is very simple; we can use it to do one or both of the following (based on date created or last modified):
- We can choose to retain information (which means it cannot be permanently deleted during the retention timeframe) and/or
- We can choose to permanently delete information after the specified time period
When it comes to email, we are usually aiming to accomplish both goals: retain items for a desired period of time (as required by law for example), and then automatically delete those items at the end of that period. This gives us assurances that any items deleted (even accidentally) can be recovered during the retention period using eDiscovery or a simple Content search. And it works in the other direction too: we have assurances that items which have passed the retention period can no longer be discovered or restored.
When you target Exchange Online mailboxes, we are talking about the power to preserve and/or delete the following mailbox items:
- Mail messages with any attachments
- Tasks when they have an end date
- Calendar items that have an end date
On the other hand, retention policies targeting mailboxes will not cover:
- Tasks that don’t have an end date
- Calendar items that don’t have an end date
- Other items stored in a mailbox, such as Skype/Teams messages (which can be targeted with their own retention policy)
In case it is not already obvious from what we have discussed thus far, a retention policy is not a backup. While recovery or eDiscovery is possible during the retention period for stuff like email messages (useful for subpoena requests or individual item restore), it would not be possible to restore an entire mailbox back to a specific point in time, for example. So be careful not to think about this as a backup. It’s not; it is for regulatory and compliance purposes only (and it enables the Inactive mailboxes feature too).
Now, for those of you who are already familiar with the “legacy” retention policies available in Exchange Server and Exchange Online (a.k.a. MRM policies), you will notice that we have a few missing capabilities here. For example, the ability to move items to archive (if you have that feature enabled). I encourage you to read this article by Tony Redmond for more details about that. Basically, you can still maintain an MRM policy to fill these gaps if your organization has those kinds of requirements, and still replace most of the older retention tags with the newer Microsoft 365 retention labels and policies. But in my experience, most small businesses aren’t really leveraging retention to begin with, so they are better off moving right to the newer retention capabilities via the Microsoft 365 compliance center.
One more note: retention policies are also similar to but different than litigation hold. In the event of litigation, you may still want to place certain mailboxes on litigation hold (or deploy a secondary policy scoped to the mailboxes of interest), even if they are already covered by a general company-wide policy. For example, if the litigation lasts for several months or even years, a policy will continue to enforce permanent deletions during that period each and every day, whereas litigation holds placed against a specific mailbox or mailboxes will override the more general policy and prevent those deletions from being processed for the duration of the hold. Therefore, the two are not mutually exclusive, and can still be used together.
Too often I see one of two scenarios in the small business space, and both of them are what I call very bad ideas:
- Ignoring email retention completely
- Implementing an infinite retention or litigation hold against all mailboxes
Both of these approaches will leave your organization open to unnecessary risk. Instead, take my advice: consult with your legal counsel and design a simple email retention policy to meet your needs. It does not take long to get this done. At the same time, you may still want to consider a third-party backup solution that sits beyond Microsoft’s retention capabilities, and even enable litigation hold when a particular situation calls for it. Hopefully this article cleared up some of the confusion I often see around these various technologies.
Now, dealing with documents and other datasets is another story for another day. But if I could ask every organization out there to solve just one piece of this larger puzzle right away, it would be this. And remember: even if there are no explicit regulations or requirements you have to meet, then you should still plan to write your own internal policy to cover general data protection and liability concerns.
For more specific guidance on creating retention policies, as well as other data protection measures that you should be considering in the small and mid-sized business space, see my Data Protection Toolkit, as well as my courses on Data Retention and Sensitivity labels in Microsoft 365.
This reminded me. I use To Do at work with my business Office 365 account and i can see tasks also synced to Outlook, although they don’t show steps there. And i have all my tasks since i started here a few years ago. Yet emails have short retention period. Maybe To Do tasks are not actually being saved in mailbox, but are just synced back to it from To Do storage, which doesn’t have such retention setting.
Yeah there are several areas in M365 that are not technically inside the “compliance boundary” including for example Flows (Power Automate), Power BI dashboards, To-Do’s, etc., etc. The list goes on. Basically the only things you can retain are mailboxes (some content not included like contacts), Teams chat and channel messages, OneDrive and SharePoint libraries (group-connected and non-group connected). And that’s about it.
Hi Alex, I never understood this, but I have one question. Let’s take example: “In SharePoint I have a document file and I set Retention policy to delete everything 5 years and older. Does it mean that even if I don’t delete that document file, it will be deleted by Retention policy, or Retention policy only applies on deleted files. Files that users deleted or even those that are not deleted.”
All items will be deleted that fall in the scope of the policy, not just deleted items but every item. This is a very different beast than email where you can argue it is better to remove all items older than X, for documents you want to have a more comprehensive approach that includes labels for your most important data (crown jewels) as well as regulated data, non-regulated data, etc. All will have different requirements for retention. Which makes it difficult for SMB, no doubt.
Hi Alex, I’m trying to understand what happens when I step a Sharepoint retention policy down, and understand how long it will be before the numbers go down when we delete things as we’re running out of space.
We started with a ‘Keep Everything Forever’ retention policy but are stepping down to 1 year so we can clear enough space in time.
I had assumed that a 1-year policy kept *all* files for 1 years after deletion, but it doesn’t – it keeps files that are *less than 1 year old* (or last modified less than 1 year ago) and anything that’s older at the time of deletion is just into the normal Recycle Bin. If you delete a file that’s 364 days old, it will be kept for just an extra day, then be deleted as normal; it’s not a 1-year extension to the recycle bin behaviour as I had thought.
I’m having people delete/archive old stuff to elsewhere, but I’m still watching my usage graph keep going up, so here’s how I think this works:
– First, there’s a 30-day grace period when you remove or reduce a policy, to stop yourself accidentally removing items by mistake. For 30 days, anything that would ordinarily be deleted now, won’t be. So I won’t see my usage drop at all until after this 30-day period.
– Then, items that are older than one year and were already deleted will move straight into the recycle bin(s), and stay for 93 days. I should see the Preservation Hold library size in each site’s Storage Metrics go down too. I can clear some more space if I purge these, site by site.
– Anything that is less than a year old but that was deleted on the old policy will stay in Preservation Hold until 1 year old.
Does that sound right? I was glad to find the grace period, as I worried that everything I had kept for a number of years would go straight to the recycle bin if I removed the policy.
Also, do you happen to know if it’s possible to run out of overall mailbox or OneDrive space like you can with Sharepoint (and where you see these figures)? I would gladly limit everyone to 100GB OneDrives if I could get even a tiny bit more extra Sharepoint allowance from each.
Thanks very much
Sorry for the delayed response here; your summary sounds accurate. However, when it comes to OneDrive, it is not possible to limit the allowance in order to gain more SharePoint space. The storage limit is 1 TB per user for OneDrive (and is expandable for Enterprise subscriptions), and then either 50 GB (Business) or 100 GB (Enterprise) in the primary mailbox. With the Business Premium and Enterprise plans you also get the archive option which adds additional (auto-expanding optional) storage for mail items. The best way to see usage across mailboxes and OneDrive currently is still PowerShell or a third-party tool.
Just wishful thinking, I know. So I assume that rather than an overall pool of space in OneDrive and Exchange, you literally get the allocation per user and they’re just hoping nobody actually uses it. I just think it’s crazy/annoying that we could have 1/50th of our user base fill their OneDrives and take up more space than our entire Sharepoint allowance. Hoping that one day they’ll add more. Until then, I’ll keep sitting on it. Thanks for replying.