Sensitivity labels and retention policies stand out as powerful tools. They allow you to apply rules and actions to your data based on its content, location, and context. Understanding these tools empowers you to make informed decisions that best suit your specific needs, putting you in control of your data management and security.
In this blog post, I will unpack the flexibility of sensitivity labels and retention policies, how they adapt to your organization’s needs, and their advantages and disadvantages. I will also provide some tips and best practices for using them effectively in your organization, helping you stay ahead of the curve in data protection.
Sensitivity labels are a way of classifying your data according to its level of confidentiality and sensitivity. You can create and apply sensitivity labels to your documents, emails, and files to indicate how they should be handled and protected. For example, you can label a document as “Highly Confidential” or “Restricted,” depending on who can access it and what actions are allowed.
When you apply a sensitivity label to your data, you’re not just classifying it but also proactively enforcing specific protection settings and actions. For example, you can encrypt your data, restrict access to authorized users, prevent copying or printing, add watermarks, or track and revoke access. You can also apply sensitivity labels automatically based on the content or metadata of your data or let users choose the appropriate label manually, giving you a proactive approach to data security.
Sensitivity labels can help you achieve the following goals:
The definition would be that Sensitivity labels from Microsoft Purview Information Protection let you classify and protect your organization’s data while ensuring user productivity and their ability to collaborate isn’t hindered.
You can use sensitivity labels to:
In all these cases, sensitivity labels from Microsoft Purview can help you take the right actions on the right content. With sensitivity labels, you can identify the sensitivity of data across your organization, and the label can enforce protection settings that are appropriate for the sensitivity of that data. That protection then stays with the content.
Sublabels allow you to organize multiple labels under a main label that users see in an Office app. For instance, under a main label like “Confidential,” your organization might have several specific labels for different levels of confidentiality. The main label, “Confidential,” is just a text label without protection settings, and it can’t be applied directly to content. Instead, users select “Confidential” to see the sublabels and then choose the appropriate sublabel to apply to their content.
Sublabels help present labels in a more organized and logical way. They don’t inherit any settings from their main label except for the label color. When you make a sublabel available to a user, they can apply that sublabel to their content and containers but not the main label itself.
Avoid setting a main label as the default label or configuring it to be automatically applied or recommended. If you do, the main label won’t be applicable.
Here’s how sublabels might look to users:
Please note that, if configured, those labels can also be overwritten. Here is what the experience looks like when asking for a justification.
You publish sensitivity labels in a sensitivity label policy to make them available to users. This policy appears in a list on the Label Policies page. Like sensitivity labels, the order of these policies matters because it reflects their priority: the policy with the lowest priority is at the top with the lowest order number, and the policy with the highest priority is at the bottom with the highest order number.
A label policy includes:
You can assign a user to multiple label policies, and they will receive all the sensitivity labels and settings from those policies. If there are conflicting settings from multiple policies, the settings from the policy with the highest priority (highest order number) are applied. In other words, the highest priority policy wins for each setting.
For example, in a list of three label policies:
If a user’s settings conflict with those of multiple policies, the setting from the policy with the highest order number is applied.
Retention policies are a way of managing (different from the Preservation Hold Library in SharePoint) the lifecycle of your data according to its value and compliance requirements. You can create and apply retention policies to your data to specify how long it should be kept and what should happen after a certain period.
For example, you can retain a document for 7 years and then delete it automatically or keep it indefinitely until you manually delete it. I had a customer whose default setting was 10 years (Financial Institution).
When you apply a retention policy to your data, you can also ensure that it is preserved and protected from accidental or malicious deletion, modification, or loss. You can also apply retention policies automatically based on your data’s content, location, or type, or let users choose the appropriate policy manually.
Retention policies can help you achieve the following goals:
While a retention policy can cover multiple services, referred to as “locations” in the policy, you can’t create a single policy that includes all the supported locations at once:
If you select Teams or Viva Engage locations when creating a retention policy, the other locations will be automatically excluded. Therefore, your steps depend on whether you include Teams or Viva Engage locations in your retention policy.
So, it’s a correct statement to say that we have 3 main pillars for Retention Policies:
To create a new Policy, Sign in to the Microsoft Purview compliance portal > Solutions > Data lifecycle management > Microsoft 365 > Retention Policies.
While sensitivity labels and retention policies are useful for managing and securing your data, they also have some important differences that you must be aware of. Here are some of the main ones:
These differences affect how you use sensitivity labels and retention policies in your organization. For example, you may need to use sensitivity labels to protect your data when you share it with external parties. In contrast, you may need to use retention policies to manage your data when you store it in internal repositories. You may also need to use sensitivity labels and retention policies to apply different rules and actions to different types, locations, or data content.
Depending on your goals and scenarios, you may need to use either sensitivity labels, retention policies, or both. Here are some questions to help you decide which option is best for you:
There is no one-size-fits-all solution for choosing between sensitivity labels and retention policies. Depending on your specific needs and scenarios, you may need to use a combination of both. However, you should always consider the following best practices when using sensitivity labels and retention policies:
Sensitivity labels and retention policies are powerful tools to help you manage and secure your data in Microsoft 365. However, there are also some differences that you need to consider before choosing the best option for your needs.
In this blog post, we explained sensitivity labels and retention policies, how they work, and their advantages and disadvantages. We also provided some tips and best practices for using them effectively in your organization.
We hope that this blog post has helped you understand the difference between sensitivity labels and retention policies and how to choose between them.