Retention: Plan Your Data Lifecycle
Data has a lifecycle β create, use, archive, dispose. Retention labels and policies ensure you keep what regulators require and delete what you should not keep. Plan your retention strategy before touching any settings.
Why retention matters
Think of your companyβs filing cabinet.
Some documents MUST be kept for 7 years (tax records). Some MUST be deleted after their purpose is served (job applications for unsuccessful candidates). And some should be kept forever (company founding documents).
In Microsoft 365, data accumulates constantly β emails, documents, Teams messages, meetings. Without a retention strategy, you either keep everything forever (expensive, risky in lawsuits β more data = more discoverable content) or delete too early (regulatory fines, lost evidence).
Retention labels are the filing instructions for each type of content: βkeep for 7 years then delete,β βkeep for 5 years then review,β or βkeep forever.β
Retention labels vs retention policies
| Feature | Retention Labels | Retention Policies |
|---|---|---|
| Applied to | Individual items (documents, emails, Teams messages) | Entire locations (all of Exchange, all of SharePoint, specific sites) |
| Granularity | Per-item β different retention for different documents in the same library | Per-location β same retention for everything in the scope |
| User-visible? | Yes β users can see and apply labels (if published) | No β invisible to users, applied by admins |
| Auto-apply? | Yes β via auto-apply label policies based on SITs, keywords, or classifiers | Yes β applied automatically to all content in scope |
| Disposition review | Yes β at end of retention, reviewers can decide to extend or dispose | No β automatic deletion at end of retention period |
| Records management | Yes β can declare items as records or regulatory records | No β policies manage retention only, not records |
| Best for | Content-specific retention (contracts = 7 years, HR docs = 5 years) | Blanket retention for entire workloads (all Exchange = 1 year) |
Planning your retention strategy
Step 1: Map regulatory requirements
| Regulation | Data Type | Required Retention |
|---|---|---|
| SOX (Sarbanes-Oxley) | Financial records, audit documents | 7 years |
| HIPAA | Patient records | 6 years from date of creation or last effective date |
| GDPR | Personal data | Keep only as long as necessary for the purpose |
| SEC Rule 17a-4 | Broker-dealer communications | 3-6 years depending on record type |
| Employment law | Employment contracts, performance reviews | Varies by jurisdiction (3-7 years) |
Step 2: Define retention labels
For each data category, create a retention label:
| Label Name | Retain For | After Retention | Trigger |
|---|---|---|---|
| Financial Record β 7 Year | 7 years | Delete automatically | Date created |
| Patient Record β 6 Year | 6 years | Disposition review | Date last modified |
| Employee Contract | 5 years | Delete automatically | When employee leaves |
| Project Document | 3 years | Delete automatically | Date created |
| Regulatory Filing | 10 years | Do nothing (keep forever) | Date filed |
Step 3: Retention triggers
The retention period can start from different events:
| Trigger | When Retention Starts | Use Case |
|---|---|---|
| When created | Date the item was created | Default for most content |
| When last modified | Date the item was last changed | Content that evolves (policies, procedures) |
| When labelled | Date the retention label was applied | Items labelled after creation |
| When an event occurs | A specific event like βemployee departureβ or βcontract expiryβ | Event-based retention |
Scenario: Priya plans Meridian's retention
Priya maps Meridian Financialβs retention needs:
| Content | Regulation | Retention | Trigger | Action After |
|---|---|---|---|---|
| Client account records | SEC 17a-4 | 6 years | Date created | Disposition review |
| Trading communications | SEC 17a-4 | 3 years | Date sent | Auto-delete |
| Internal emails | Internal policy | 1 year | Date sent | Auto-delete |
| Audit reports | SOX | 7 years | Date created | Auto-delete |
| Board minutes | Company policy | Permanent | N/A | Retain forever |
She creates five retention labels and plans both auto-apply (for trading communications based on SITs) and manual application (for board minutes).
Creating retention labels
In Microsoft Purview portal β Data lifecycle management β Retention labels:
| Setting | What It Configures |
|---|---|
| Name | Label name (visible to admins and users if published) |
| Description | What the label is for (user-facing and admin-facing descriptions) |
| Retention period | Days, months, or years β or retain forever |
| Retention trigger | When created, when modified, when labelled, or event-based |
| At end of retention | Delete automatically, start disposition review, or do nothing |
| Mark as record | Optionally declare content as a record (locks it from editing) |
Exam tip: event-based retention
Event-based retention starts the clock when a specific event occurs β not when the content was created. Common events:
- Employee leaves β start 5-year retention on their documents
- Contract expires β start 7-year retention on contract files
- Product discontinued β start 3-year retention on product documentation
To use event-based retention, you create an event type, apply labels with that event trigger, and then create the event when it occurs. The exam tests whether you understand that the retention period only begins when the event is created β not when the label is applied.
Priya at Meridian Financial needs to retain trading communications for 3 years from the date they were sent, then automatically delete them. Which retention configuration should she use?
Dr. Liam needs to retain patient records for 6 years after the patient's last visit, then have a clinician review them before deletion. Which configuration is correct?
π¬ Video coming soon
Next up: Retention Labels: Publish & Auto-Apply β get retention labels into the hands of users and automate labeling at scale.