26 Apr 2022

Microsoft 365 Retention Policies FAQ

For most organisations, the volume and complexity of their data is increasing daily, email, documents, instant messages, and more. Effectively managing or governing this information is important because you need to:

  • Comply proactively with industry regulations and internal policies that require you to retain content for a minimum period (PII, ePHI, PCI, etc.)
  • Reduce your risk in the event of litigation or a security breach by permanently deleting old content that you're no longer required to keep.
  • Help your organisation to share knowledge effectively and be more agile by ensuring that your users work only with content that's current and relevant to them.

By removing data that no longer serves the business, you can reduce clutter and improve search results, making it easier to find the most current and relevant information. Therefore, every business can benefit from some basic information governance. 365 Retention settings can help you achieve these goals. Managing content commonly requires two actions:

Action Purpose

Retain content Prevent permanent deletion and remain available for eDiscovery

Delete content

    Permanently delete content from your organisation

With these two retention actions, you can configure retention settings for the following outcomes

Retain-only

        Retain content forever or for a specified period.

Delete-only

        Permanently delete content after a specified period.

Retain and then delete: Retain content for a specified period and then permanently delete it.

These retention settings work with content in place that saves you the additional overheads of creating and configuring additional storage when you need to retain content for compliance reasons. In addition, you don’t need to implement customised processes to copy and synchronise this data.

To begin, we suggest that you narrow down your focus to answering just one question for your organisation: How long should we keep email data?

Email records are the number one type of electronic record that is regularly required for litigation today. Not because organisations necessarily have things to hide, but simply because there is so much information in email that could potentially become damaging in a litigation scenario.

A retention policy is amazingly simple; we can use it to do one or both of the following (based on the date created or last modified): We can choose to retain information (which means it cannot be permanently deleted during the retention timeframe) and/or We can choose to permanently delete information after the specified time. When it comes to email, we are usually aiming to accomplish both goals: retain items for a desired period (as required by law for example), and then automatically delete those items at the end of that period. This gives us assurances that any items deleted (even accidentally) can be recovered during the retention period using eDiscovery or a simple Content search. And it works in the other direction too: we have assurances that items that have passed the retention period can no longer be discovered or restored.

When you target Exchange Online mailboxes, we are talking about the power to preserve and/or delete the following mailbox items

  • Mail messages with any attachments
  • Tasks when they have an end date
  • Calendar items that have an end date
  • Notes

Conclusion

Ignoring email retention completely could leave your small business open to unnecessary risk. Instead, design a simple email retention policy to meet your needs. It does not take long to get this done and we can help. Reach out to your FOS.net account manager to find out.