Clearing the “ROT” in O356 with Retention Policy
Clearing the “ROT” in O356 with Retention Policy
A quick win after cloud migration is setting up a retention policy. It provides much-needed governance to data and its flow. Redundant, Obsolete, and Trivial data (ROT) amounts to 30% of unstructured data in an organization. Depending on how data-intense an organization’s operation is, the dollar value of this un-necessary chunk could easily scale and become unmanageable if not tamed.
Data retention defines policies that allow data persistence, management, compliance, and business data archival requirements. It protects the confidentiality of data by ensuring effective management of access to data, its availability, and effective disposal after expiration. Besides the need for compliance, an effective data retention practice will minimize the cost of data operation and storage, shield the organization from legal risks, and provide an enhancement to other data security controls and government initiatives such as data loss protection, big data management.
ROT data could end up costing the business a lot in monetary terms, legal and compliance risk, and data security. The popular $1Billion Samsung vs Apple case and the GDPR fines for holding on to unused personal data comes to mind easily. With more organizations migrating to the cloud and work from home gaining traction, having firm control of your data is critical in the seeming borderless digital landscape. With the right data retention policy comes great cost savings in storage and operations, a boost to productivity, reducing retrieval time for data, reducing the attack surface, and providing a corporate shield to certain legal and compliance risks.
Using the trio of people, process, and cloud technology implementation as a structure, we will explore key learning from prior implementation on how to successfully institute a data retention policy for an organization.
Process
One of the key issues with a retention policy is how to know what to retain and when to do away with it. A possible steer is the use of the Gartner Pace-Layered Application Strategy that aligns roughly with categories of data in play in most organizations. The strategy categorizes business applications and by implication the kind of data they produce into Systems of Record, Systems of Differentiation, and Systems of innovation. Each of the categories has a retention period and value attributed to the data produced.
To achieve a great policy, a lot depends on the pre-and post-implementation processes put in place. Placing attention on processes and getting support from management is key.
Based on previous experience, the following guidelines will help navigate through major challenges that arise as one implements a retention policy.
· Stakeholder Management Processes:
** Define your purpose, think in term of business goals, internal processes, and external requirements (compliance and regulatory, 3rd party vendors, customers)
· Assessment /Scoping
** You cannot control what you don’t know. Starting with Data classification will greatly enhance your retention policy
** Discover where data are in the organization.
** Agree and document data in scope and plan for how to take care of the type of important data, not in the scope
** Assess the data, establish risks attributed to data, establish stewardship for different business data if not already in place
· Develop and stand up a formal corporate retention policy
** Work with all stakeholders to co-create your policy, ensure all the elements of a good retention policy are present. This policy will drive the technical implementation.
** Socialise policy through awareness and management support within the business
** Make it technology agnostic
· Design and Implementation Processes
** Start with a pilot project for a small group
** Ensure you have adequate and necessary O365 /M365 licenses.
** Build in key security principles where applicable, segregation of duty, least privilege, etc.
** Plan enforcement process with the backing of the sponsors.
** Ensure you have a process of updating knowledge about Microsoft Technologies. Changes happen quickly and always well communicated.
** Decide and Document key decisions around approach, scope, permission, versioning, immutability, and other configurations.
** Establish change management processes. Start socializing what needs to start and stop with the end-users.
** Set up Comprehensive Test Cases on all platform and across various scenarios
** Data disposition after expiry, and review processes.
· Post-implementation
** Establish monitoring/alert, reporting, auditing, and reviewing processes
People
People play an important role here. From the users whose work pattern is affected, to leadership and those in charge of compliance, each one has a role to play that ultimately contribute to the policy effectiveness.
Getting the right people as early as possible matters a lot.
· Stakeholders
** Think both internal (line of business, legal, management, IT) and external requirements (regulatory body, partners, customers).
** Your management sponsorship is critical. It drives users’ adoption and accountability among other benefits.
· Change Management
** Take the user experience seriously, get the change management involved early.
** Involve key data consumers and producers in the impact analysis.
** Develop focal point representation from user groups and managerial level
** Develop user awareness sessions and monitor performance.
· Your Project Management team
** Your business analysts, project management, Cloud SME, and data stewards are key resources for such implementation.
** Document key decisions, configurations, and settings.
Technology
If your process and people are in place, implementing a retention policy on M365 is very easy. There are limitations to data that M365 can retain. Retention does not take the place of backup.
Understanding the nuances around certain actions such as how long data should be retained, recoverability after deletion of data, and exploration of feature behavior on different M365 platforms like SharePoint Online, Exchange Online, OneDrive for Business, and Teams. Exchange Online Retention Policy is different from M365 retention policy and it is another ball game entirely. However, Implementing the M365 retention policy, via the Microsoft Compliance Center is advisable as it covers the bulk of the Exchange Online retention policy. For most implementation, your E3 license will cover most features. Advanced features like automatic retention labeling may require getting some E5 licenses. Few implementation tips include:
** A great data classification label will enhance the set-up of retention
** Investigate data at rest behavior in different location types; OneDrive, Exchange Mailboxes, and in Team, the behavior may vary depending on specific configurations.
** The preservation library, where deleted retained data resides, consumes storage so, it is practical to plan for storage growth. You can review your configuration to reduce such.
** Plan ahead for testing, creating your use cases and scenarios
** Manage complex situation with advanced setting e.g., event-triggered retention policies
** Choosing between using retention labels or retention policies requires cross-functional decisions and not an IT/Implementation group decision
Conclusion
A simple retention policy is easy to accomplish, but most organizations' context means such implementation needs to be scoped and tailored to actualize a successful implementation. Strategies and approaches highlighted above point organizations to areas prone to failure and what can be done to remedy such. Key decisions need to be taken early. To ensure successful implementation, start simple, explore various scenarios, test exhaustively, and monitor post-implementation performance. M365 features in Microsoft Compliance Center provides all necessary enablement to achieve this.
M356 may not be a fit-all solution for enterprise-wide retention practice, but considering that 90% of documents in organization store such as One Drive for Business, Team, and Exchange online are Word, Excel PowerPoint documents, M365 Retention policy provides an effective cloud data retention solution.