90% of data in the world today has been created in the last 2 years alone. In fact, there is so much data stored in the world that we are running out of ways to quantify it. Our current output of data is roughly 2.5 quintillion bytes a day. With the onus on protecting data being placed firmly on the shoulders of organisations (with the introduction of GDPR), businesses world-wide need to be aware and actively put measures in place to manage data at every step of its lifecycle, and discard data once it has been used.
Microsoft Office 365 and the Security & Compliance Center _ provide a solution to these challenges. Advanced data governance controls can be applied to electronic content stored across Office 365 services - including Exchange/Outlook, OneDrive for Business, Office 365 groups, Microsoft Teams, and SharePoint Online. Classification Labels allow content to be categorised, preserved, protected as records, retained for definable time periods, and ultimately disposed of. The eDiscovery suite enables records managers and compliance officers to quickly investigate and meet internal, legal and regulatory obligations. During an investigation, legal holds can be applied to content relevant to a case, preventing their deletion.
GDPR specifies that organisations keep only the data they need and discard anything they don't - “ the Security & Compliance Center allows you to do just that. Classification labels can be manually or automatically applied to content. Rule logic can be devised to define how content is managed by the system. Personal Identifiable Information (PII) can be automatically detected based on the composition of documents. Policies further prevent how the electronic content is used and how long the content is retained for.
New ways of managing documents and records in Office 365?
It is vital that key content is retained according to regulatory and business policies and disposed of automatically or manually, when the content's retention period has expired. Office 365 and the Security & Compliance Center has introduced new ways of managing electronic documents & records.
Traditionally, documents and records would be primarily stored in SharePoint, where structured sites and content types would define compliance processes, such as retention and record declaration policies. The Security & Compliance Center allows administrators to manage information without having to force users to move all content to SharePoint. This does not mean that SharePoint should not be used as a primary store for documents and records; in fact continuing to develop structured SharePoint sites will improve the Security & Compliance Center's ability to automate classification labels, based on content and
metadata. What it does mean is that we now can comprehensively manage information stored in other Office 365 services as well, namely: Exchange/Outlook; OneDrive for Business; Office 365 groups and Microsoft Teams.
Although classification labels can be applied manually to content stored in these Office 365 services, most organisations will not want to rely on users being records managers and deciding how content is classified. Although classification labels can be applied as defaults to document libraries and folders, the preferred option will be to automate classification labels. Automated classification labels can be applied to content if the content matches specific conditions, such as keywords or sensitive information types. Microsoft will soon be supporting search properties - this is significant because it will be possible to automate the classification of content based on a combination of query logic, such as content types, and column metadata. For example, if the Content Type equals "Finance Document" and the Document Type equals "Invoice" apply a 7 Year preservation retention policy.
The retention policy configured with a classification label determines how long the content is retained for, whether it is preserved (preventing its deletion), and how it is disposed of. Preserved content cannot be deleted until the content disposition process. Content that needs to be reverted to a read-only state must be manually labelled. Dispositions (the deletion of expired content) can be automated when the retention schedule is complete, or assigned to an administrator group for review/approval. At a batch level, the administrator can choose whether to extend the expiry date, re-label the content, or approve the deletion.
What are the steps to set up a Classification Label?
It is recommended that administrators of the Security & Compliance Center use E5 licences, so that they can take advantage of Office 365's advanced governance and compliance features, including automated classification labels. To create a new classification label:
1. Add a classification label.
2. Define the retention schedule (e.g. Modified + 7 Years).
3. Define whether the content should be preserved for the retention period, or whether the content should be declared as a "record".
4. Define the disposition process, i.e. automated or assigned to a group for approval.
5. For automated labels, define query conditions, such as specific keywords or sensitive information types.
6. Define a label policy to determine what Office 365 services or e.g. specific mailboxes or specific SharePoint sites the classification label should be applied to.
What are the steps to apply a Classification Label to content in Office 365?
Office 365 end-users will be guided how to maximise the use of Office 365 services based on a governance framework. To apply a classification label to content:
1. Create/ import content to an Office 365 service, i.e. Exchange/Outlook; OneDrive for Business; Office 365 groups; Microsoft Teams; SharePoint Online.
2. To manually apply a classification label, select the content and apply the label, e.g. via the Properties pane on a document library.
3. If a classification label is automatically applied, the query conditions will determine how this is done.
4. When an item's retention schedule has elapsed and the disposition process actioned, the content will be deleted from its location. Note: A Legal Hold applied to content will prevent this from happening.