Retention policies in M365: keep or delete — who decides?
Some data must be kept (fiscal obligations), other data must be deleted (GDPR). Retention policies handle this automatically — if you set them up correctly.
Retention policies in Microsoft Purview determine how long content stays in M365. Without policies, everything is kept indefinitely — which is usually both GDPR-unfriendly and costly in storage.
\n \nPolicy categories
\n- \n
- Retain: content may not be deleted — keep for at least X years. \n
- Delete: content is automatically deleted after X years. \n
- Retain then delete: keep for X years, then delete. The most commonly used option. \n
Examples for SMBs
\n- \n
- Email: 7-year retain then delete (matches fiscal retention requirement). \n
- Teams chat: 2-year retain then delete (matches ISO/GDPR guideline). \n
- SharePoint sites for client projects: 5 years after project close. \n
- OneDrive of a former employee: 90 days after offboarding (matches 30-day + archive rule). \n
Licensing
\nBasic retention is included in Business Premium. Advanced (auto-applied via machine learning) requires E5. For SMBs, Basic is more than sufficient.
\n\nRisks
\n- \n
- Overly aggressive delete policies can prevent a legal hold in the event of litigation. \n
- Overly conservative retain policies can become a GDPR issue (retaining personal data for too long). \n
- Policies need 1–7 days to become active tenant-wide — test on a small scope first. \n
See also: personnel file retention periods, GDPR compliance pillar.
Volledige gids: Gobernanza de Microsoft 365 para pymes — pragmática, no perfeccionista
Dit artikel is onderdeel van onze uitgebreide Microsoft 365 & Entra ID-gids. Lees de pillar voor het complete plaatje.
Lees de pillar →