Simply put, retention and backup mean different things to different people within your organization depending on their sphere of responsibility. In IT, “backup” means making sure the content can be recovered and made available to users in case the need arises. “Retention” on the other hand, to the IT Guy just means “how long before the backed-up content can be deleted.”

But to a Lawyer, Records Manager, or Compliance Auditor “retention” means something different: the content must be available for discovery and legal document production while being able to defend its provenance, chain of custody, and its deletion or destruction. When talking to these different audiences, remember that they may be using the same words but not understanding the nuances involved in the terms each group is used to using.

When considering changing an internal process to be implemented into an IT system it is important to remember what the goal of the process or policy is: data retention is not put in place to make sure the content can be restored if it’s needed. That’s the backup’s job as the copy of last resort.

The goal of retention, when managing storage space and disaster recovery isn’t part of the job, is to make certain the Legal Department can discover the document and defend its provenance when and if required. In fact, using your “backup” of your Microsoft 365 content as your primary data retention compliance method makes ediscovery and data production less efficient. It means your ediscovery process will have to interrogate two systems to find information. This introduces a discovery variable that could expose the organization to risk if discovery within the backup system misses a critical piece of content for production.

Now that disaster recovery and data availability is not part of the primary responsibility set of the IT department in an organization, people in positions other than IT are beginning to get access to what have previously been “administrative” systems to perform job functions that used to be the concern of IT, before the organization moved to the cloud.

One of the best examples of this kind of access is the “Compliance Center” in Microsoft 365’s Administrative Portal. The assignment of an eDiscovery role to an organization’s legal team can allow them to search through all content in the organization’s Microsoft 365 tenant, manage data discovery and production cases, control who can access which data for discovery and produce reports of data that has been discovered in the subject matter case. All of these are important aspects of the “back-end” of data retention.

Microsoft 365 Backup Makes Retained Document Production Efficient

Backing up your Microsoft 365 tenant isn’t unrelated to meeting your data retention regulatory requirements, but it’s not the solution for doing so. The job of a good cloud backup solution is making certain a copy of data is (preferably) easily accessible for recovery.

A good cloud backup solution will include many features that make retention (and legal document production) quick and easy such as:

• Automatic detection of new content containers to include in backups
• Granular restore to the individual data unit level (document, list item, e-mail, etc)
• Full and Incremental backup and restore
• In-place and out-of-place restore
• Export files
• Backups are encrypted in storage
• Automatic purge of backups after longest default retention period ends
• Ability to find and remove item-level backed up data as needed
• Delegation to allow document production without admin credentials
• End-user self-service restore
• Comprehensive backup of the entire tenant – All Microsoft 365 workloads and all information kinds

All of this makes retaining and producing data easier. But ‘backup’ isn’t enough to make you compliant with all aspects of retention regulations, legal requirements to produce documentation, and information risk management. Microsoft 365 offers data managers a better tool than mere ‘backup’ to ensure data retention compliance: Retention Policies.

Why You Should Use Retention Policies

Retention policies enable organizations to:

• Decide proactively whether to retain content, delete content, or retain and then delete the content when needed.
• Apply a policy to all content or just content meeting certain conditions, such as items with specific keywords or specific types of sensitive information.
• Apply a single policy to the entire organization or specific locations or users.
• Maintain discoverability of content for lawyers and auditors, while protecting it from change or access by other users.

When data is subject to a retention policy, people can continue to edit and work with the data because the content is retained in place in its original location. The retention policy ensures the content is managed in the background until the timeframe for action has been reached. For example, if an organization has a retention policy for “destroy after 7 years,” this means the content will remain in place and accessible until the 7-year timeframe is reached. At this point the data will be destroyed.

“Retention Policies” are different than “Retention Label Policies” – they do the same thing – but a retention policy is auto-applied, whereas retention label policies are only applied if the content is tagged with the associated retention label. This tagging can be performed by automated process, though Microsoft’s vision for retention policy labels is that end-users and content creators will apply the retention labels manually. (Ask your local records manager how well that’s working out.)

Retention Label Policies only take effect when a user or process applies the label to content. Publishing the Retention Label Policies to a container or workspace merely makes it available for users to apply to content. It is also important to remember that Retention Label Policies do not move a copy of the content to the ‘Preservation Holds’ folder until the content under policy is changed next.

Retention Policies are available for all Microsoft 365 workspaces, though each have their own peculiarities and quirks to be aware of. Some common things to remember:

• All content retained under a retention (or other) policy is discoverable via the Compliance Center eDiscovery console, regardless of license, workspace, or visibility to end users
• Any policy-based hold whether retention, label, eDiscovery or other, will prevent the content from being moved to the second stage recycle bin (i.e All holds must be removed before content will be deleted)
• Content under retention is not removed from the second stage recycle bin until after the retention period ends, plus the default second stage recycle bin retention time period
• Content must be owned by a user with an appropriate Microsoft 365 license to have a retention policy applied to it

There can be a lot to absorb and understand when first encountering Microsoft 365 retention policies. Each workspace has its own nuances and defaults for retain data placed under a retention policy. Some Microsoft 365 customers express concern with being surprised by additional licensing costs to retain data, discover it, and restore it. Other customers are worried they will be charged for space consumption for data they have to retain but isn’t in use. It is even not uncommon to hear customers complain that retention policies in Microsoft 365 don’t actually work, and the content isn’t really retained, since it’s impossible to restore.

When Microsoft 365 retention policies are understood and properly implemented, all these concerns are alleviated.

Originally published HERE.