For most organizations, the volume and complexity of their data is increasing daily – email, documents, instant messages, and more. Effectively managing or governing this information is important because you need to:
- Comply proactively with industry regulations and internal policies that require you to retain content for a minimum period of time – for example, the Sarbanes-Oxley Act might require you to retain certain types of content for seven years.
- Reduce your risk in the event of litigation or a security breach by permanently deleting old content that you’re no longer required to keep.
- Help your organization to share knowledge effectively and be more agile by ensuring that your users work only with content that’s current and relevant to them.
A retention policy in Office 365 can help you achieve all of these goals. Managing content commonly requires two actions:
- Retaining content so that it can’t be permanently deleted before the end of the retention period.
- Deleting content permanently at the end of the retention period.
With a retention policy, you can:
- Decide proactively whether to retain content, delete content, or both – retain and then delete the content.
- Apply a single policy to the entire organization or just specific locations or users.
- Apply a policy to all content or just content meeting certain conditions, such as content containing specific keywords or specific types of sensitive information.
When content is subject to a retention policy, people can continue to edit and work with the content as if nothing’s changed because the content is retained in place, in its original location. But if someone edits or deletes content that’s subject to the policy, a copy is saved to a secure location where it’s retained while the policy is in effect.
Finally, some organizations might need to comply with regulations such as Securities and Exchange Commission (SEC) Rule 17a-4, which requires that after a retention policy is turned on, it cannot be turned off or made less restrictive. To meet this requirement, you can use Preservation Lock. After a policy’s been locked, no one—including the administrator—can turn off the policy or make it less restrictive