In our last article, Using Advanced Data Governance Labels in Office 365, we reviewed the basics of Office 365 Advanced data Governance Labels. In this article, we will discuss how these labels work in real-life deployments.
Office 365 Labels: What Works
Let’s talk about what works with Office 365 labels.
Labels work well for two things. First, high-level classifications, such as designating documents as confidential versus public, are quite helpful. This approach can help people use the content correctly and help to prevent data leaks. Second, we can use labels to identify sensitive data, such as a US social security number or an Australia Tax File Number.
These two use cases will become even more powerful when Office 365 ADG labels combine with Azure Information Protection (AIP) labels in the near future. This new feature will allow you to protect labeled documents with additional functionality. For example, if we identify content as having a US social security number, AIP can prevent it from being downloaded on a personal device, from being printed, or from being sent in an email attachment.
There is much potential in Office 365 ADG Labels. We can only hope that Microsoft continues to mature this functionality with more robust features to expand useful business scenarios. In the meantime, we should consider some limitations.
Office 365 Labels: Limitations in How They Are Applied
The first limitation is that it takes up to seven days to automatically apply a label. This limitation might be fine for some organizations, but others may not accept this risk. In seven days a user could delete a document that should be a record, or sensitive information could have been unrecognized and used incorrectly. Also, keep this in mind when you are testing a new deployment. Any tests you do will take seven days to run, so be sure to plan for that in your project.
The second limitation involves automatically applying labels using search. As we mentioned above, this can be done using a word or phrase, but not by using the site or content properties. In actual deployments, this could result in mislabeled documents. After working on hundreds of customer deployments at RecordPoint using our automatic labeling engine, we’ve found it is much more accurate to use site and content properties to label content automatically.
You also cannot automatically apply labels to sensitive data that resides in Exchange or Groups. This type of automatic labeling only works with content living in SharePoint or OneDrive for Business. Since sensitive data types are one of our beneficial use cases outlined above, this could be a massive limitation in your deployment.
Another limitation is that you can only apply one label to content. On the surface, this makes sense. Labels drive retention and other policy, so we want to ensure only one policy is applied at one time. However, what happens if more than one label meets the criteria for automatic labeling?
Let’s say you have a document with both a US Social Security number and a healthcare account number. You have a label to identify each type of sensitive data. Which one is applied?
The last limitation is that there is no hierarchy available for labels, or a way to weight their importance. In the scenario above you can’t designate that the Social Security number is more important than healthcare account number. Instead, the label that was created first will be applied.
This limitation has enormous implications for an ADG implementation, because not only do you need to plan your labels, but you also need to prepare the order in which you create them.
Office 365 Labels: Other Limitations
The first problem is that Office 365 can only classify content located in Office 365. Most organization have content in multiple cloud repositories, such as Salesforce, Box, Dropbox, and G-Suite. You will need to invest in and maintain another records management system to ensure those repositories and in compliance. Since records management teams are often small, this is a lot of extra work and overhead.
Next, Office 365 only provides generic functionality that doesn’t meet local standards. Unless your organization is only subject to significant regulations, this could limit Office 365’s usefulness for compliance.
For example, many government organizations are subject to local, state, and federal regulations. While Office 365 can help with meeting federal regulations, you will need to customize it to meeting state and local needs.
Another major limitation is that you can’t automatically declare content as a record. Users must manually declare records. For SharePoint content, any user in the default members group can declare documents as a record.
However, only site collection administrators can remove or change a record label. If a user accidentally declares content as a record, no one will be able to edit it until a site collection administrator intervenes.
The next limitation is that you can only trigger label retention based off the date the document was created, last modified, labeled, or based off an Office 365 event. You cannot use custom date fields from SharePoint or other locations. For example, if you have a contract end date field in a SharePoint docuent library, you cannot use that to trigger the retention policy.
The last limitation is that you need an Office 365 E5 license to use automatic labeling. At the time of this article, an E5 license costs USD 35/user per month as compared to USD 20/user per month for an E3 license. Without paying for the upgraded license, it limits you to manual labeling for all content.
|Use to identify and action sensitive content||Application of Labels can be 1-7 days||Provides real-time classification of content|
|Use for high-level classifications||No hierarchy of labels||Can prioritize labels|
|A label can be used by RecordPoint to refine a classification||Generic functionality that doesn’t meet local standards||Has localized certifications|
|Need to have an E5 license for automatic labeling||Can use an Office 365 label as input|
|No automatic labeling for records||Works with any license|
|Have to apply document library labels to each location||Automatic labeling of records and content across multiple sources|
|Can only manage Office 365 content||Can apply classification from a central location|
|Can trigger retention off custom date fields|
How RecordPoint Enhances Office 365 Labels
The great news is that RecordPoint and Office 365 Labels work better together. Here’s how:
- Uses Office 365 labels as input for automatic classification of content and records. For example, if you are using labels for high-level classifications, such as public versus confidential documents, that can be used in a rule to classify your content.
- Works with any Office 365 license. Whether you have E1, E3, or a business plan, we can classify your content. If documents exist in Office 365, we can manage them using RecordPoint products.
- Centralized classification of content across multiple content sources. RecordPoint’s rules engine will automatically classify content according to your file plan and apply the correct retention schedule. Not only can we manage Office 365 content, but we can handle other content repositories also. Whether your content is in file shares, Box, Dropbox, Salesforce, Exchange, or many different sources, we can manage it using one set of rules. You can also build your connector for content in a proprietary service.
- Provides real-time classification. When content is created or added to Office 365 or any content repository, RecordPoint will classify it according to your file plan within minutes instead of up to seven days.
- A label hierarchy with prioritization. What if a document meets the criteria for multiple labels? No problem! You can prioritize which label is applied.
- Localized certifications. We hold certifications for many regional competencies, such as Victorian Electronic Records Strategy (VERS), National Archives Records Management (NARA), and DoD 5015.2, to name a few.
- Trigger retention from custom date fields. It is very common to use custom date fields in your SharePoint lists and libraries. Maybe you track project end dates, and want to keep document three years after the project has ended. RecordPoint allows you to use any date field to trigger an retention policy.
Let us help with your Office 365 needs
We hope you found this article useful as you begin to plan your deployment of Office 365 labels. Contact us to discuss your specific Office 365 records management requirements or answer any remaining questions.