Background

yoko:10’s was engaged by their client, who processed a lot of personal data, some of which was highly sensitivity. This included employee data, data on third party contractors, as well as data on business partners and board members.

Requirements

yoko:10’s client had two key requirements for Microsoft 365 content, these being data classification and data retention.

They needed to ensure they could identify when information was intended for internal or external use, or if information was particularly sensitive from a personal or organisational perspective. They also wanted to ensure documents and emails were kept as long as required, but no longer.

With a substantial investment already made in the Microsoft 365, it made sense for the client to utilise the Information Governance capabilities already available to them.

yoko:10’s Approach

yoko:10 discussed requirements, advised on the tools needed, and helped develop an awareness of the Information Governance capabilities within Microsoft 365. It was agreed that Microsoft’s new “Unified Labelling” solution would provide all required functionality and meet all identified requirements.

Sensitivity labels would be created and published to all employees, allowing them to classify to all emails and documents.

Retention labels would be created and published to all employee mailboxes, OneDrive sites and Microsoft Teams. Each retention label would have a specified retention period, during which time the information could not be deleted, and after which time the information would be automatically removed from Microsoft 365.

yoko:10 decided to run the projects sequentially, due to the level of business involvement required to determine labels, classifications, and retention periods. An information governance steering group was also established to align with the project, this included representation from yoko:10.

Project Overview

Data Classification

yoko:10 first confirmed the clients’ classification and core information security requirements, in respect to email (sent both internally and externally) and Office 365 files. The features and capabilities of sensitivity labels (including reporting) were then reviewed and assessed against requirements.

yoko:10 worked with the client to define a classification scheme that would be simple to use, but broad enough to classify all the types of information they managed. Individual label settings were confirmed and configured, including the automatic application of headers / watermarks and advanced Outlook features, such as blocking external email recipients when sending confidential information.

Members of the clients’ information governance steering group completed a short pilot, with feedback being reviewed, and configuration being amended where necessary.

Communications and guidance were prepared, before being shared with the organisation via a Teams meeting. Sensitivity labels were then published to all employees within the organisation.

Data Retention

Yoko:10 presented several options for defining retention labels and managing data once placed under retention. Alternate approaches were discussed, with a preferred option being agreed with the client.

Departments were tasked with identifying information assets, including associated retention periods for each. The final list of assets was reviewed and rationalised, with a resulting set of retention labels being agreed.

yoko:10 configured the required retention labels, before publishing these for a small pilot group. Analysis was also completed against existing Microsoft 365 file locations, to establish when automatic file deletion, triggered by labels, would occur.

Before publishing labels to all Office 365 locations (mailboxes, Teams and SharePoint), meetings were held with each department to explain data retention, why the project was happening, what it meant for them, what their responsibilities would be and how labels would be applied to folders, files and emails.

Outcome and Benefits

yoko:10’s client had greater control over information that was shared internally and externally, and how long that information was kept. They were also able to avoid the accidental deletion of files which needed to be retained.

The client had confidence that information was correct when responding to subject access enquiries and freedom of information requests. The client could also show physical evidence of compliance, rather than replying on policy and testimony.

The inclusion of pop-up alerts, and classification headers in emails and documents, resulted in greater awareness about the principles of data protection.

yoko:10 says

“Unified labelling is one of Microsoft’s more recent additions, so it was great to put the technology through its paces and address some really important requirements.”

“Having previously delivered several SharePoint document and records management solutions, it’s safe to say the technology has come a long way”.

“The project felt like a real team effort from beginning to end, with our combined experience and skills delivering a robust, long term solution”.