An overview of compliance features in SharePoint and Office 365

As you migrate your content and intellectual property to OneDrive and SharePoint, it is only natural that, at some point, you might want to take tighter control of your data (documents in this context). For example, you might want to designate certain content to be confidential and have it accessed by only certain employees. Or, you might want to prevent external sharing of files that contain personally identifiable information like credit card numbers. Or, maybe you would want to destroy certain records after a certain retention period. Well, you are in luck, my friends as SharePoint does have such capability built-in. What I would like to do with this post is to go over the various areas of Compliance and explain (at a high-level) where you would need to set modern Compliance features in SharePoint and Office 365.

What are the major Compliance areas?

The following is a list of major areas of compliance when it comes to content control and a brief description of each.

• Data Retention
• Records Management
• Data Loss Prevention (DLP)
• eDiscovery

Data Retention

As the name implies, retention allows controlling the lifecycle of a piece of content (document). For example, you might want to delete certain records after they surpass a legal threshold (i.e., OK to delete financial records after seven years). After a certain period, you can designate the content to be deleted, make it a record (see below) or move/archive it.

Records Management

Records Management is somewhat of a unique area of Data Retention I described above. Essentially, you can designate documents as “records” which makes them indestructible (can’t be deleted). I am sure you have certain data in your firm that falls under this category.

Data Loss Prevention (DLP)

Data Loss Prevention or DLP, for short, is an area of compliance that prevents accidental or malicious oversharing of data. Say, for example, you have a document sitting in your SharePoint library or OneDrive that happens to have personally identifiable information like someone’s Credit Card number or Social Security Number (Social Insurance Number for those in Canada). DLP, when set up, will scan the document for such information by recognizing the number pattern (i.e., 16 digits that make up the Credit Card Number)  and prevent someone from sharing it externally.

eDiscovery

eDiscovery is one area that I hope you never get to deal with. It has to do with legal holds. Say, for example, your organization (G-d forbid) is in a court dispute. And the judge ruled that he or she needs to see all emails and documents from senior management over the last six months. eDiscovery will allow you to execute a legal hold on data – essentially find the content in question and put a hold on it (prevent anyone from deleting or modifying it).

How Compliance worked with “classic” SharePoint

Before we dive into existing compliance capabilities, I want to describe how some of the above compliance features worked in “old” SharePoint, because we did have certain elements available to us.

Data Retention in “classic” SharePoint

We did have Data Retention capabilities with “old” SharePoint, and we could set data retention at the file, folder, library, or content type level. I happened to publish a very detailed blog post on how to set that up a while back (link to Retention files/folders).

Records Management in “classic” SharePoint

Records Management was another area we could achieve with “classic” SharePoint. There were two major ways to set that up: via in-place record management or a Records Center. In-place record management allowed for a user to declare a document as a record right within a Document Library and leave it there as-is and make it indestructible right there – in the same place where other files are located and where users collaborate on all the files. Records Center, on another hand, was a special site collection that would be provisioned to store all documents designated as Records elsewhere (think of it as a special place for all the docs declared as records).

Example of an in-place Records Management (declaration)

Example of a tenant-wide Records Center

eDiscovery in “classic” SharePoint

Likewise, we could also execute an eDiscovery as well. That required provisioning of a special eDiscovery site collection.

Data Loss Prevention (DLP) in “classic” SharePoint

DLP was possible via eDiscovery Center mentioned above. Vlad Catrinescu did a great job describing how to set it up in old SharePoint on his blog.

How Compliance works with “modern” SharePoint

Things are quite different as to how Compliance works with Modern SharePoint. One major difference is that most “classic” SharePoint’s Compliance features were not centralized – meaning you had to set them many features locally at a site collection level. With the flat Information Architecture we now have, modern Compliance is configured at a Tenant level. Then, in turn, tenant-level policies and settings can be applied to sites (also known as site collections in the classic SharePoint), as well as OneDrive and other areas/apps of Office 365 (Outlook, Teams, etc.)

Let’s take a look at where such settings are configured in Modern SharePoint. If you are trying to familiarize yourself with Compliance in SharePoint and Office 365, you will need to get friendly with Security and Compliance Center accessible from your Office 365 portal.

How to access the Security and Compliance Center:

1. App Launcher > Admin
2. Under Admin Centers, click on Security & Compliance

This is where specific compliance areas we covered above can be accessed from as depicted in the image below.

In future posts, I plan to expand and write more detailed articles on the setup and configuration of each of the areas above. Stay tuned.