Trigger retention policies with Events in Advanced Data Governance
Articles Blog

Trigger retention policies with Events in Advanced Data Governance

January 4, 2020

– Coming up, if you’re
looking to develop a strategy on what data to keep or delete
inside of your organization, we’re gonna walk you through
the data retention capabilities in Office 365 Data Governance,
with new updates, including the ability to retain your
data in Microsoft Teams, event-based retention
triggered by specific events, insights and analytics of your
data using Labels Explorer, and managing your deletion process through disposition review. (upbeat tech music) I’m joined today by Nishan DeSilva from the Data Governance team. Welcome. – Thanks for having me on the show. – So we’re seeing a
huge amount of interest in data retention, especially
in light of things like GDPR, and also the growing number of regulations in place globally. Now the common wisdom might be
to be able to keep your data as long as you possibly can, but that can be a true
liability if you get hacked. Now, equally, not keeping the right data for whatever compliance reason
might get you in trouble. – It can be. So what we
advise everyone to do is to have a strategy
around your overall data to reduce your risk. There’s actually a industry
principal of ROT analysis where you look at what’s
redundant, obsolete, and trivial. – Right and this is one of
the most important areas where tech can help you today,
but how are we approaching this then in Office 365? – So, traditional ways of
doing that have typically required replicating your
data and placing it into an external system. This
can be costly and it further increase your risk because now you have your data in multiple places. – And ironically that’s
replication or redundant, literally the “r” in ROT. – Absolutely, and our
approach is to give you in-place retention and
deletion in Office 365. Of course, if you have
data stored on premisis or in other services, we
help you bring the data into Office 365’s data
governance to take advantage of our built in capabilities. – Alright so let’s get into this. How do we actually determine
what to keep or what to delete? – Depending on which industry uses it, there are different
regulatory rules governing how long to keep specific types of data. Or, you may need to set
up retention policies that align to your business processes that show evidence of compliance. Ultimately, your compliance
officer will know how long to retain your data to meet the relevant regulations. – And those rules actually
need to be codified into your retention system, but
how do you get started? – So our retention
capabilities can be found in the Security & Compliance center. And as a compliance officer, my experience is scoped only to the
activities specific to my role. – Right, and this is
something we regularly cover on Microsoft Mechanics: the
Security & Compliance center, and for those of you who are new to it, it’s really designed to be
this cooperation between the compliance team on one hand and the IT team on the other. So you have a little
bit of a different view than as an IT admin,
different set of controls. In my case I’m signed
in here with the rights to assign permissions. So here in the Security
& Compliance center, I actually have the Permissions tab open, I’ve created a Data Governance role. In this case you can see the role name, the description that we’ve added to it, the different assignments
of what you can do in terms of the capabilities
that you’ll need, and I’ve also assigned members there. – So now, as a compliance
officer, I can do the things important to my
role with tailored experiences. – So now again, just to point out, the IT team doesn’t have
to worry about anyone on the compliance side
interfering with their policies or settings or IT configurations. But Nishan, why don’t you actually show us what the compliance officer
experience looks like. – Great. Consider the
case of an international manufacturing company.
We have data operations in EU, US, and a
manufacturing plant in China. We have to abide and comply with a number of regulations globally. – And this is a case
where you’re going to need to balance all the regulations
that you have in place, either where your offices
are geographically located, for the markets where you
want to do business in, and also where and how you manufacture. – Yes. And so here, let’s go ahead and now go to data governance, and into retention. We manufacture drones,
and we have to comply with several regulations.
As you can see here, I have created policies based
on geographies and users. We have three different geographies with different retention regulations. And I also have a
org-wide retention policy. Here I’m going to create
a new retention policy for the US operations for Microsoft Teams. Based on the regulation we know that the longest required
retention period is 15 years for my asian policy for China, for devices and manufacturing. The default in the system is seven years, but we can override that to
the time period of six years so it’s consistent with
the other retention policy. And after that, retain the
content based on either create, or last modified, and we can
also do what we want to do with the data when it gets
deleted or not deleted. Here I’ll go ahead and
say don’t delete it, as we still want to
have an internal review before we delete anything. Now I also have options
for some advanced settings for auto-classification, but
for today I’ll keep going and click next. You’ll see that we’ve
added Microsoft Teams, and we’ll continue to add more in time. I’ll select “Teams” and
“Chats” and hit “Next,” and create that policy. – And the great thing here is I can also exclude certain groups from this policy, but what if I want to create a standard or default policy for
my entire organization, can I do that as well? – You can run an org-wide retention policy for any period of time.
For here, you can see I have created an org-wide policy for five years across all workloads. – And the other thing is, if
you have any policy conflicts, the retention policy’s always gonna win over a deletion policy.
So we saw retention and geography and workload,
now we’re actually including Microsoft Teams
as something we can select as a location or workload, and the users we also have
selected to really help you when you have specific
regulations that you’re trying to adhere to when you’re retaining your data but what if you wanna
drive proactive retention related to an event or
maybe a specific activity on a project, maybe
the project’s complete. How would we do that? – We know from industry data that more than 40% of retention categories are triggered by events.
To make this easier, you can now do event-based retention in Advanced Data Governance in Office 365. Here you will notice on my
left nav, I have a new sub-tab called “Events.” This is where you’ll find and manage your event-based policies. Event-based retention works
by first creating a label to classify specific information so it’s good to have a clear strategy on information classification
in your organization with labeling of your data. For example, campaigns or
specific launches that you may run as a business where you know
there may be a need to manage the retention and deletion
of that information within a specific period. Let’s go ahead and create a
label called “Drone Orca Day 1” in regards to product launch. We’ll set the retention as five years. I’m going to select – I want to trigger a disposal review because
I want to make sure this content is reviewed prior to deletion at the end of the retention period. Here I have options from
when to start a retention. It can be create date, last modified, labeled, or now, event. I can select from three existing events that have broader scope, and I can talk a little bit more about that later, but I want to have an event trigger that is specific to this project. You’ll give it a name… And we hit finish. And at
this point, we can select that event and click “Add.” And I’ll go ahead and hit
“Next” and “Create this label.” So now that, after I created that label, now I can publish that
label, I can now either publish to all locations, or I can select just to publish it to a single SharePoint site
here by hitting “Choose sites.” And I give it a name, and I’m done. Now I’m going to ask my SharePoint admin to apply the label
“Orca Drone Day 1” label as a default in SharePoint
document library. It also retroactively
apply to content uploaded. All they need to do is go to site settings and apply the label. – Now how does the system actually know that the event has happened and occurred once the event gets triggered? – As the compliance officer, once I know the project is complete I can go to the events
tab in Data Governance and create a new event called “Drone Product Completion
Retention Policy”. And here, I have to choose the event type that we created earlier. – Okay. – And then I can figure out the
day that project was closed. So here’s the trigger.
So we can pick today, or we can even go back
and pick a previous date. And I create the event, and we’re done. – Very cool, so you’ve shown
us then a custom event, but what if you have a more
common event that you actually want to automate that
happens all the time? – Today we supply
PowerShell Cmdlts that allow to connect to other systems
to trigger these events. And these are listed in
the support documentation. – Right, so we just saw an event trigger, and the retention clock, then, is there to start retaining the data, and that’s gonna be based
on the labels that you set. Now, labeling is central,
really, to any retention strategy to make sure that the right
things are kept or deleted but how do you get insights in terms of how labels are being used
in your organization? – Right. As you mentioned, any
good data governance strategy starts with information classification. But to make this easier for
you, we also quickly track which labels are in use
in your organization and give you insight and
analytics on specific trends. – But, is there a way then
that I can see how users are actually proactively
labeling their content with specific labels? – Yes. If you click on
our new Labels Explorer, you can drill down and
take a look at “Orca Day 1” and you can see that there has only been 15 labels applied to this. So here’s where, a scenario
that we can think about is really to also take
this as manually labeled, we can also do auto-classification, I can go ahead and create a new label, and start doing an auto-classification. And you can see that you can
also auto-apply to that label. Here we have two different
ways of auto-applying, so I can go ahead and type
content specific words. So I can actually type the word “drone” and it’ll go ahead and look for any information regarding “drone.” I can give it a part name of a policy, and I can then pick which
location you want to do it and because we want to look
at wherever the word “drone” is located in our tenancy,
I’m gonna run it across everything in Office 365. So this way, that Labels Explorer
now not only will capture the manual labeled, but
also the auto-applied label, so we have a 360 view of what you had set. – So very cool, so this is all
based on content search then, directly from within Office 365. – That is correct. – What if I wanna get rid
of some unwanted data, personal data, that I
need to stop retaining, how can I do that? – We have three ways of
delete data from Office 365. So let’s go back to a label
and create a new label, and let’s give it a name, “Delete EU Personal Data
for Drone Projects.” – Okay. – And then I can go here, and let’s say the retention period here is five years you can see there are three
ways we can delete data from the system. One is delete
the content automatically when it reaches the retention period. Second is trigger a disposal
review, or do nothing. In this case let’s go ahead
and say we want to trigger a disposal review, because
we want to also make sure that someone is reviewing this data. In this case, we always
give a best practice to not just pick an individual,
actually to pick a group because if an employee
leaves an organization, you want to make sure
that group is still alive. So here is where I’m going
to pick the group called “US Drone Compliance Group.” – Sounds good. So given we have the option
here to do automatic deletion, why would groups choose to
do manual disposition review versus the auto delete? – This is if a business
needs to either suspend or extend deletion or retention periods and make some high-value records that are in your organization that needs audited before they’re permanently gone, it’s always good to do a manual disposal. In Data Governance, I can see where these
are pending dispositions, I can filter them by
the different sources, so we have documents or emails. I can also sort it by
labels. I can also select a document that gives me decisions of apply different label, extend
it, or delete permanently, and I also can, which many organizations’ data governance and
compliance folks would do is actually multi-select or all select and then go ahead and
execute the disposition. – So you’ve gone through a full lifecycle of information governance,
from retention-based policies on various inputs to insights,
all the way down to deletion and disposition, but where
can folks go to learn more? – Go to the link shown on
the screen to learn more. We recommend your organization
is using Office 365 E5 to take advantage of
all these capabilities. And we’ll be rolling
out these new features to your organization soon. – And of course keep
watching Microsoft Mechanics for the latest tech
updates across Microsoft. That’s all the time we
have for today’s show, thanks for watching
and we’ll see you soon. (upbeat tech music)

Only registered users can comment.

Leave a Reply

Your email address will not be published. Required fields are marked *