Introduction

In the previous post, I showed you how to enable Regulatory Records, which are disabled by default.

But what are Regulatory Records, and why wouldn’t they be enabled by default?

There are three types of Retention Labels in M365:

• Retention Labels (let’s call it a regular retention)

• Record Labels

• Regulatory Record Labels

A Regulatory Record Label, once applied to an item, cannot be changed, overridden, or removed. This immutability ensures compliance with regulatory requirements. When the retention period of a regulatory record ends, it follows the actions defined by the original label (e.g., deletion). You cannot apply a new label to extend or change this action. Regulatory Record Labels are tamper-proof.

The Issue

So, if the desired outcome is compliance, what’s wrong with having the Regulatory Records option at your disposal right away? Why wouldn’t they be enabled by default?

Because there are quite a few problems with the usage of Regulatory Record labels. In some cases, their inflexible nature becomes an issue, which ironically, could lead to potential non-compliance.

The immutable nature of Regulatory Records in Microsoft 365 is both a feature and a challenge.

One reason Regulatory Records option is not enabled by default is that they are designed for organizations with strict compliance requirements.

Mislabeling

Here is the first common concern: mislabeling the item. Imagine that you made a mistake when applying the label: you cannot reverse that. There is no button to press to undo that action. Incompetent Information Management Workers can create a non-compliance quagmire very quickly.

Having Regulatory Record Labels will require additional training programs and governance. Lack of a bullet-proof file plan and exhaustive documentation can also contribute to potential issues. And even if you have top-notch knowledgeable staff, to err is human.

Poor communication between departments can also lead to inconsistent application of regulatory labels.

Mergers, acquisitions, restructuring, or any other changes in organizational structure can disrupt information management processes and lead to inconsistent application of regulatory labels.

Need for Governance

Would you dare to use Regulatory Record Labels, especially in an organization that doesn’t have a solid file plan or solid personnel training?

Managing immutable records requires a high level of governance, as any mistakes in labeling can pose serious issues. Misinterpreting or misunderstanding regulatory requirements can result in the incorrect application of retention labels.

Additionally, if the end user is presented with a bunch of labels that were not properly named, if there are no naming conventions and Regulatory Record Labels are not reflected in the name, the user might just use them due to confusion. The user would see the Alert when applying a Regulatory Record Label, but we all know that most users don't bother reading them.

Without regular audits and reviews, mislabeling and non-compliance issues can go unnoticed for long periods.

Changes in Regulatory Requirements

Changes in regulatory requirements, although rare, do happen. Imagine if you have a few thousand documents that you were keeping for 7 years, but new regulation requires them to be kept for 10 years. You can increase your retention period.

If the new regulation changes the retention requirement to a shorter period (e.g., from 7 years to 5 years), there's no way to shorten the retention period of an already labeled regulatory record.

The biggest concern is human errors and issues with Information Architecture and Security.

Security Breaches and Unauthorized Access

Security breaches or unauthorized access to records can result in tampering or accidental mislabeling. An insider with malicious intent can cause significant damage by labeling items incorrectly. This malicious activity may go unnoticed, and if discovered, the insider could claim it was an error.

Lack of Security Permissions

M365 has a specific set of security permissions in MS Purview (formerly Compliance Center). Only personnel with specific permissions are allowed to create and publish Labels to the workloads, such as SharePoint.

The issue is that all published labels can be applied by a SharePoint Site user.

It does seem like a significant oversight that Microsoft did not provide more granular control over the application of Regulatory Record Labels in SharePoint Online. Given the importance and immutability of these labels, having more precise permission settings could help prevent accidental or unauthorized application, thereby reducing the risk of compliance issues and operational headaches.

Conclusion

Make sure that you enable the Regulatory Record Label option only if your governance, training, and structure are in place.

Conduct auditing exercises routinely and adjust accordingly.

Build a custom solution that provides Role-Based Access Control (RBAC) to restrict who can apply Regulatory Record Labels.

While I do hope that Microsoft addresses this issue, I am not holding my breath – I am currently building my own framework that will provide better control over Regulatory Record Labels in M365.