Most businesses assume Microsoft 365 keeps their data safe. It does not, not fully. Here is what is actually happening to your emails, files, and Teams data, and what your business needs to do about it.
What Microsoft 365 Actually Does With Your Data
Microsoft 365 is built for uptime and collaboration. It is not built for backup. That distinction matters more than most business owners realise.
Microsoft protects its own infrastructure against outages, hardware failures, and data centre issues. If a server goes down in one of Microsoft’s facilities, your data stays intact because it is replicated across multiple locations. That is infrastructure protection, not data backup.
Your data protection is a different matter entirely. If you delete a file, make a mistake, or fall victim to a cyberattack, Microsoft’s job is done. Recovering what you lost is your responsibility.
How Microsoft’s Retention Policies Work
Microsoft 365 has retention periods built in, but they are not designed for recovery in the way most businesses expect.
Deleted items in Outlook sit in the Deleted Items folder until you empty it. After that, they move to a recoverable items folder and stay there for 14 days by default, extendable to 30 days with the right settings. SharePoint and OneDrive recycle bin items are kept for 93 days. After that, they are gone permanently.
These defaults work fine for short-term accidental deletions. They are not designed to protect you from a ransomware attack that encrypted your files three months ago, or from a staff member who wiped a folder before leaving.
Microsoft does offer a Microsoft 365 Backup product. It covers SharePoint, OneDrive, and Exchange, and it provides point-in-time recovery. But it carries additional licensing costs, has coverage gaps, and is not a substitute for a dedicated third-party backup strategy for most businesses.
What Happens When Data Is Deleted or Lost
Say a member of staff leaves your business and an IT administrator accidentally deletes their mailbox. You have 30 days to restore it. After that, it is gone. Everything they received, sent, or stored in that account, years of correspondence, disappears permanently.
Now picture a different scenario. A phishing email tricks someone into clicking a link. Ransomware spreads across your OneDrive and SharePoint, encrypting files. By the time your team notices, the damage covers months of business-critical documents. Microsoft’s recycle bin will not help here. The files are not deleted; they are encrypted and unusable.
In 2025, 30.2% of organisations reported losing data within Microsoft 365, up from 17.2% the previous year. And 81% of IT professionals have experienced some form of data loss in Microsoft 365 at some point.
Without a dedicated backup, your business is exposed.
Ransomware and Microsoft 365: The Real Risk
Ransomware does not care that your business uses a reputable cloud platform. Attackers specifically target Microsoft 365 environments because so many businesses trust the platform implicitly and skip proper backup.
According to the Hornetsecurity Ransomware Impact Report 2025, 24% of organisations reported being a ransomware victim. In the UK, 43% of businesses experienced a cyber breach or attack in the past 12 months, based on UK Government survey data.
When ransomware hits your Microsoft 365 environment, the clock starts immediately. If you do not have a clean backup from before the attack, you face two choices: pay the ransom or lose your data.
A managed backup solution changes that entirely. You can roll back to a point in time before the attack, recover individual files, mailboxes, or entire SharePoint sites, and get your business running again without giving criminals a penny.
Our managed IT support includes proactive monitoring that helps detect unusual activity before ransomware takes hold. But monitoring alone is not a substitute for backup. You need both.
UK GDPR and Your Backup Responsibility
This is the part most guides leave out.
Under UK GDPR and the Data Protection Act 2018, your business is responsible for protecting personal data you hold. That includes emails, HR records, client information, and any other personal data stored in Microsoft 365.
If that data is lost because you had no backup, the Information Commissioner’s Office (ICO) can investigate. Depending on the circumstances, that can result in formal enforcement action, financial penalties, and mandatory audits.
Article 32 of UK GDPR specifically requires organisations to put in place appropriate technical measures to protect personal data, including the ability to restore its availability and access in a timely manner following a physical or technical incident.
In plain terms: if your business holds personal data in Microsoft 365 and has no backup, you may already be falling short of your legal obligations. That is not a risk worth running.
Our remote IT support team can review your current Microsoft 365 setup and identify where your data is exposed before a problem occurs.
What a Proper Microsoft 365 Backup Looks Like
A solid backup solution for Microsoft 365 covers four areas:
- Exchange Online: all mailboxes, including shared mailboxes and distribution lists
- SharePoint: team sites, document libraries, and permission structures
- OneDrive: personal file storage for every licensed user
- Microsoft Teams: chat history, channel files, and meeting recordings
It runs automatically, daily at minimum. It stores data in a location entirely separate from Microsoft’s infrastructure. And it allows granular recovery, meaning you can restore a single email, a specific file version, or an entire mailbox, without restoring everything.
Choosing a third-party backup tool matters. Look for UK or EU data residency to stay compliant with data protection rules. Check that the provider offers immutable backups, copies that cannot be altered or deleted, even by ransomware. And make sure recovery has actually been tested. A backup that nobody has tested restoring is not a reliable backup.
Setting this up correctly, integrating it with your existing Microsoft 365 licences, and testing it properly is where a managed IT partner adds real value. You can explore how we approach this as part of our managed IT support services.
Frequently Asked Questions
Real questions UK businesses ask about Microsoft 365 backup, answered plainly.
Does Microsoft 365 automatically back up my emails?
No. Microsoft 365 retains deleted emails for up to 30 days in a recoverable items folder, but this is not a backup. It will not protect you from ransomware, accidental mass deletion, or data loss beyond the retention window. A separate backup solution is required.
What is the difference between Microsoft 365 retention and backup?
Retention policies keep data within Microsoft’s own system for a set period. Backup copies your data to a separate location, allowing you to recover it independently of Microsoft’s infrastructure. If Microsoft’s environment is affected or your retention period has passed, only a proper backup will save you.
Does Microsoft 365 Backup replace the need for a third-party tool?
Not for most businesses. Microsoft 365 Backup is an improvement on native retention, but it has coverage limitations, additional licensing costs, and is not immutable by default. For most UK SMEs, a dedicated third-party backup solution provides more reliable protection and recovery options.
How often should Microsoft 365 data be backed up?
At minimum, daily. For businesses handling sensitive or high-volume data, more frequent backups reduce how much you could lose in the event of a problem. Your backup frequency should match your recovery point objective, meaning how much data your business can afford to lose.
Is not backing up Microsoft 365 a UK GDPR risk?
Yes. UK GDPR requires businesses to protect personal data and maintain the ability to restore it following an incident. If your business holds personal data in Microsoft 365 and has no backup, you may not be meeting your legal obligations under Article 32 of UK GDPR.
How do I know if my Microsoft 365 data is currently backed up?
Most businesses do not know until they need to recover something. Ask your IT provider specifically whether your Exchange, SharePoint, OneDrive, and Teams data is backed up to a separate location outside Microsoft’s infrastructure. If they cannot answer clearly, it probably is not.
Don’t Wait Until Something Goes Wrong
Microsoft 365 is a great platform. But great platforms still lose data, get hit by ransomware, and fall victim to human error. Relying on Microsoft’s built-in retention without a dedicated backup is one of the most common and costly assumptions businesses make.
Getting this right does not have to be complicated. Contact UK IT Services to talk through your Microsoft 365 setup and get a free IT consultation. We will identify exactly where your data is exposed and put a backup solution in place that actually works.