Retention Policies for SharePoint Online and OneDrive in Purview
Welcome back, tech warriors! In our five-part series, we’ve followed Apex Finance, a mid-sized investment firm grappling with a GDPR data privacy probe. Part one introduced Microsoft Purview’s retention policies—automated rules to retain or delete data—while part two tamed Exchange Online emails and Teams chats. Now, in part three, we’re focusing on SharePoint Online and OneDrive for IT admins and compliance officers. Apex’s legal team needs client contracts and financial reports retained for 7 years to prove GDPR compliance, ensuring personal data accountability.
Why read on? This series builds a complete Purview compliance toolkit, and this article fortifies your document storage against audit pressures. Through Apex’s GDPR-inspired scenario, we’ll unpack retention strategies with step-by-step setups to streamline audits and protect data. Let’s fortify that document fortress!
Starting with the Basics
Let’s ease in, as managing SharePoint Online and OneDrive can feel like organizing a digital vault. Retention policies in Microsoft Purview safeguard document data-client contracts in SharePoint sites or employee records in OneDrive. They meet GDPR’s strict rules, requiring personal data retention only as long as necessary, without manual file tracking. For Apex, this ensures critical documents are audit-ready while keeping collaboration seamless.
Why does this matter? In finance, a missing contract can derail a GDPR audit, risking fines. Purview preserves documents in the Preservation Hold library (a hidden SharePoint storage area) or Recoverable Items folder (OneDrive’s secure storage), even if deleted. This reduces storage costs, mitigates legal risks, and supports fearless file sharing.
Retention Policies vs. Labels
With the basics in place, let’s explore Purview’s tools: Retention Policies and Retention Labels. Policies apply broadly to entire SharePoint sites or OneDrive accounts, like Apex’s 7-year retention for the “Client Contracts” site. Labels are precise, targeting individual files manually or automatically (e.g., files with “personal data” keywords or EU passport numbers), as noted in part two.
Apex used a policy for broad coverage and auto-applied labels for sensitive documents, balancing GDPR compliance with user simplicity. Policies streamline IT management, while labels offer compliance teams precision for high-risk data. Note: labels require a publishing policy to apply to locations, so plan strategically to keep your fortress secure and user-friendly.
Real-World Examples
Let’s make Apex’s GDPR probe actionable with setups to retain personal data-related documents for 7 years.
SharePoint Retention
Apex applied a Retention Policy to retain all “Client Contracts” SharePoint site documents for 7 years, meeting GDPR accountability. Deleted files are preserved in the Preservation Hold library, accessible via eDiscovery.
Setup Steps:
Access Purview Portal: In Purview, go to “Data lifecycle management” > "Policies" > “Retention policies”.
Create Policy: Name it (e.g., “GDPR SharePoint Retention”).
Choose Scope: Select “Static” for specific sites or “Adaptive” for dynamic targeting (e.g., sites with “Contracts” in the name). Create adaptive scopes first under “Adaptive scopes.”
Select Workload: Choose “SharePoint sites.”
Set Retention: Retain for 7 years; optionally delete post-period unless under a legal hold.
Test and Apply: Pilot on one site, verify retention in the Preservation Hold library via eDiscovery, and deploy (allow up to 7 days).
OneDrive Retention
Apex retained all employee OneDrive files for 7 years to ensure GDPR-compliant HR records. Files are preserved in the Recoverable Items folder.
Setup Steps:
Access Purview Portal: In Purview, go to “Data lifecycle management” > "Policies" > “Retention policies”.
Create Policy: Name it (e.g., “GDPR OneDrive Retention”).
Choose Scope: Select “Static” for specific accounts or “Adaptive” for dynamic targeting (e.g., HR department).
Select Workload: Choose “OneDrive accounts.”
Set Retention: Retain for 7 years; optionally delete post-period unless under a legal hold.
Test and Monitor: Pilot on one account, verify retention in Recoverable Items via eDiscovery, and deploy.
Retention Label for Sensitive Documents
For files containing personal data (e.g., “personal data” or EU National ID), Apex used an auto-applied Retention Label for 7-year retention, ensuring GDPR compliance with precision.
Setup Steps:
Access Purview Portal: In Purview, go to “Data lifecycle management” > "Retention labels”.
Create a Retention Label: Call it “GDPR Sensitive Documents”.
Set Retention Period: Choose “Retain items for a specific period” (7 years for GDPR compliance). optionally delete post-period unless under a legal hold.
Finish: Finish the creation of the label.
Create a Label Policy: Go to “Data lifecycle management” > "Policies" > "Label policies” and select "Auto-apply a label" and name it (e.g. GDPR Sensitive Documents Label).
Choose the type of content: Select “Apply label to content that contains sensitive info” and configure your sensitive info types (e.g., GDPR).
Choose Scope: Select “Static” for specific SharePoint sites or “Adaptive” for dynamic targeting.
Select Workload: Choose “SharePoint sites”.
Select the retention label created: Add the "GDPR Sensitive Documents" label created previously.
Test and Monitor: Test the policy before running it to evaluate it first.
Pitfalls to Avoid:
Overbroad Scopes: Apex initially retained marketing docs; refining scopes to contract libraries saved storage.
Legacy Versioning: Check SharePoint versioning settings to avoid conflicts with retention policies.
User Resistance: Train users on manual labels (if used) to ensure compliance; Apex’s 30-minute training prevented cleanup headaches.
Policy Overlap: Test label-policy combinations to avoid unintended deletions.
Conclusion
Part three of our series shows Apex turning SharePoint and OneDrive chaos into a GDPR-compliant stronghold with Purview’s retention policies and labels.
Having faced these setups (and learned from a few missteps), I can assure you that getting this right reduces audit stress and keeps collaboration seamless. Ready to fortify your document retention? Test a policy on one SharePoint site today!
Join us next Tuesday for part four, exploring advanced Purview features.
References
Mastering Retention Policies in Microsoft Purview: https://intranetfromthetrenches.substack.com/p/mastering-retention-policies-in-microsoft-purview
Exchange & Teams Retention Policies in Purview: https://intranetfromthetrenches.substack.com/p/exchange-and-teams-retention-policies-in-purview
Advanced Retention Features in Microsoft Purview: https://intranetfromthetrenches.substack.com/p/advanced-retention-features-in-microsoft-purview
8 Must-Know Best Practices for Mastering Retention in Microsoft Purview: https://intranetfromthetrenches.substack.com/p/8-must-know-best-practices-for-mastering-retention-in-microsoft-purview
Learn about retention policies & labels to retain or delete: https://learn.microsoft.com/en-us/purview/retention
Learn about retention for SharePoint and OneDrive: https://learn.microsoft.com/en-us/purview/retention-policies-sharepoint
Create and configure retention policies: https://learn.microsoft.com/en-us/purview/create-retention-policies
Create retention labels for exceptions to your retention policies: https://learn.microsoft.com/en-us/purview/create-retention-labels-data-lifecycle-management