How to Back Up Your Business Email and Calendar

If your business uses Microsoft 365 — and the vast majority of UK SMEs do — your email, calendar, contacts, and OneDrive files are hosted in Microsoft's cloud. This creates a dangerous assumption that many business owners make: because the data is "in the cloud," it must be safe. Microsoft will take care of it. Nothing can go wrong. This assumption is wrong, and it has cost countless UK businesses dearly.

Microsoft provides infrastructure-level resilience for its cloud services. Their data centres have redundant power, cooling, and storage. They replicate data across multiple facilities. Their uptime SLA for Exchange Online is 99.9%. But none of this protects your data from the threats that actually cause data loss in practice: accidental deletion by users, malicious deletion by disgruntled employees or compromised accounts, ransomware that encrypts mailbox content via synchronisation, retention policy misconfiguration that purges data prematurely, or regulatory requirements to retain data beyond Microsoft's default retention periods.

The Shared Responsibility Model

Microsoft operates under what they call the Shared Responsibility Model. In simple terms, Microsoft is responsible for the availability of the service — keeping the servers running, maintaining the infrastructure, and ensuring the platform is accessible. You are responsible for your data — ensuring it is properly backed up, protected from user error, and retained in accordance with your legal and regulatory obligations.

This is not a hidden policy. Microsoft states it explicitly in their service agreement: "We recommend that you regularly backup your Content and Data that you store on the Services or store using Third-Party Apps and Services." They are telling you, in plain language, that their service is not a backup and that you need your own backup solution.

Common Misconceptions About Cloud Data Protection

One of the most persistent misconceptions among UK business owners is the belief that Microsoft's recycle bin functions as a backup. The Deleted Items folder in Outlook and the Recycle Bin in SharePoint and OneDrive do provide short-term recovery options, but they are designed for convenience, not for data protection. Items in the Deleted Items folder are automatically purged after a set period, and users can empty the folder manually at any time. Once an item leaves the recycle bin, it moves to a recoverable items folder that is hidden from the user and retained for a further 14 days by default. After that window closes, the data is permanently and irrevocably gone from Microsoft's systems.

Another common misconception is that Microsoft's geo-redundant replication serves as a backup. Geo-redundancy means that your data is copied to a secondary data centre in real time, providing protection against a regional outage or hardware failure. However, because replication happens in real time, any deletion or corruption is replicated immediately as well. If a user deletes a critical email, that deletion is replicated to the secondary data centre within seconds. Geo-redundancy protects against infrastructure failure; it does not protect against data loss caused by human action or malware.

A third misconception relates to Microsoft's liability. Many business owners assume that if they lose data whilst using Microsoft 365, Microsoft will be liable for the loss. This is not the case. Microsoft's service agreement explicitly limits their liability and places the burden of data protection on the customer. In the event of data loss caused by accidental deletion, a compromised account, or a misconfigured retention policy, Microsoft has no obligation to recover your data and, in most cases, will be technically unable to do so.

Understanding these misconceptions is the first step towards implementing a proper backup strategy. The moment your organisation recognises that Microsoft 365 is a productivity platform rather than a data protection platform, the case for independent backup becomes unarguable.

What Needs Backing Up

A comprehensive Microsoft 365 backup strategy should cover all the workloads that contain business-critical data. The most critical is Exchange Online — email, calendar, and contacts. For many businesses, email is the primary record of client communications, contractual agreements, and business decisions. Losing email data can have serious legal, regulatory, and commercial consequences.

Beyond email, your backup should also cover OneDrive for Business (each user's personal cloud storage), SharePoint Online (shared team sites and document libraries), and Microsoft Teams data (which is stored across SharePoint, OneDrive, and Exchange). If your business uses other Microsoft 365 services such as Planner, Lists, or Power Platform, check whether your chosen backup solution covers these workloads as well.

Prioritising Your Backup Scope

Not all Microsoft 365 data carries the same level of business criticality, and understanding this hierarchy is essential when designing your backup strategy. Email typically sits at the top of the priority list for most UK businesses. It serves as the primary communication channel for client correspondence, contractual negotiations, supplier agreements, and internal decision-making. For regulated businesses — such as those in financial services, legal, or healthcare — email may also constitute a formal legal record that must be retained and producible for specified periods under applicable UK regulations.

Calendar data is frequently underestimated during backup planning. Whilst a lost calendar entry might seem trivial compared to a lost contract, consider the operational impact of losing an entire department's calendar history. Recurring meetings, client appointments, project milestones, annual leave records, and resource bookings all reside within Exchange Online calendars. Rebuilding this data manually after a loss event is time-consuming, error-prone, and deeply disruptive to day-to-day business operations across the organisation.

Contacts represent another category that businesses commonly overlook. Many organisations maintain extensive contact directories within Exchange Online, including client details, supplier information, and internal distribution lists. These contacts often contain notes, custom fields, and relationship history that simply cannot be recreated from other sources once they are lost. A thorough backup strategy ensures that contact data is captured alongside email and calendar content at every scheduled backup interval.

OneDrive for Business deserves particular attention because it frequently becomes the default storage location for work-in-progress documents, personal notes, meeting recordings, and files shared informally between colleagues. Unlike SharePoint, which typically follows more structured governance policies, OneDrive content tends to be less organised and therefore considerably harder to reconstruct if lost. Users may not even be fully aware of what they have stored there until the data suddenly disappears.

Microsoft 365 Backup Solutions for UK Businesses

Several enterprise-grade backup solutions are available for Microsoft 365, each with different strengths. The leading options in the UK market include Veeam Backup for Microsoft 365, Acronis Cyber Protect Cloud, Barracuda Cloud-to-Cloud Backup, Druva inSync, and more recently, Microsoft's own Backup solution (currently in preview). Here is how they compare for a typical UK SME.

Key Evaluation Criteria

When evaluating Microsoft 365 backup solutions, UK businesses should consider several critical factors beyond basic feature checklists. Recovery Point Objective (RPO) defines how much data you can afford to lose, measured in time. If your backup runs three times daily, your RPO is approximately eight hours — meaning that in the worst case, you could lose up to eight hours of email and file changes. For businesses with high-volume email traffic or time-sensitive client communications, a tighter RPO with more frequent backups may be essential to minimise risk.

Recovery Time Objective (RTO) defines how quickly you need data restored after an incident. The ability to restore a single email within minutes is fundamentally different from the ability to restore an entire mailbox within hours or a complete tenant within days. Ensure that the solution you choose can meet your RTO requirements for the full range of restore scenarios — from individual item recovery through to organisation-wide restoration following a major incident.

Scalability and licensing flexibility matter considerably for growing businesses. Some solutions charge per user, others per storage volume, and some offer unlimited storage per user at a flat rate. Consider how your costs will scale as your organisation grows, as headcount increases, and as mailbox sizes expand over time. A solution that appears cost-effective for 20 users may become prohibitively expensive at 200 users if the pricing model does not scale favourably with your business growth trajectory.

Management overhead is another important consideration for UK SMEs. A backup solution that demands constant manual intervention, complex configuration changes, or specialist knowledge to operate reliably will quickly become a burden on your IT team or provider. Look for solutions that offer automated scheduling, policy-based retention management, self-service restore portals for end users, and proactive alerting when backup jobs fail or complete with warnings. If your IT is managed by a provider such as Cloudswitched, these operational concerns are handled entirely on your behalf.

Feature	Veeam for M365	Acronis Cyber Protect	Barracuda Cloud
Exchange Online backup	Yes	Yes	Yes
OneDrive backup	Yes	Yes	Yes
SharePoint backup	Yes	Yes	Yes
Teams backup	Yes	Yes	Yes
UK data residency	Yes (choose storage)	Yes (UK DCs)	Yes (UK DCs)
Granular restore	Individual items	Individual items	Individual items
Backup frequency	Up to 5x daily	3x daily	3x daily
Ransomware protection	Immutable backups	Immutable + AI detection	Immutable backups
Approx. cost per user/month	£2.50-£4.00	£3.00-£5.00	£3.50-£5.50

For most UK SMEs, Veeam Backup for Microsoft 365 is the most popular choice. It provides comprehensive coverage of all Microsoft 365 workloads, flexible storage options (including UK-based Azure Blob Storage or AWS S3), granular restore capabilities down to individual emails or calendar items, and competitive per-user pricing. When managed by an IT provider, Veeam runs entirely in the background with no impact on end users.

Setting Up Email Backup: Step by Step

Implementing a Microsoft 365 backup solution follows a consistent process regardless of which product you choose. The steps below outline the typical approach for a UK SME deploying Veeam Backup for Microsoft 365, though the principles apply to any solution.

Pre-Deployment Planning and Considerations

Before deploying any Microsoft 365 backup solution, several preparatory steps can make the difference between a smooth implementation and a frustrating one. Begin by auditing your Microsoft 365 environment to understand the full scope of what needs protecting. Document the number of active user mailboxes, the total volume of email data across the organisation, the number and size of OneDrive accounts, and the SharePoint sites and document libraries currently in use. This information determines the storage capacity you need to provision and helps you estimate both the initial backup duration and the ongoing monthly costs.

Network bandwidth and Microsoft API throttling are practical constraints that many businesses overlook during planning. Microsoft applies rate limits to API calls made by third-party backup solutions to protect the performance of their platform for all tenants. During the initial full backup of a large environment, these throttling limits can significantly extend the backup window beyond what you might expect. Plan for the initial backup to run over several days, ideally starting over a weekend or during a period of reduced user activity. Subsequent incremental backups are considerably lighter and rarely trigger throttling under normal circumstances.

Authentication and permissions configuration is a critical step that must be handled with care. Modern backup solutions use Microsoft's application registration framework with specific Graph API permissions to access mailbox, OneDrive, and SharePoint data. These permissions should follow the principle of least privilege — granting only the access strictly required for backup and restore operations, and nothing more. Your IT provider should document exactly which permissions have been granted and review them periodically to ensure they remain appropriate as both the backup solution and Microsoft's permission model evolve.

Finally, consider your restore requirements before deployment rather than after the first incident occurs. Define who should be authorised to request data restores, what approval process is required for different restore types, and what Service Level Agreements apply. For example, restoring a single accidentally deleted email might be a routine request fulfilled within the hour, whereas restoring an entire mailbox as part of a regulatory investigation might require management approval and a more structured, documented process. Establishing these procedures in advance ensures that when a restore is genuinely needed, everyone involved knows exactly what to do and how quickly they need to act.

The initial full backup can take several hours to several days depending on the volume of data and the number of users. Subsequent incremental backups capture only changes since the last backup and typically complete in minutes. Most businesses configure backups to run three times daily — ensuring that in the worst case, no more than a few hours of data could be lost.

Restore Scenarios: When Backup Saves the Day

Understanding common restore scenarios helps illustrate why backup is essential. The most frequent scenario is accidental deletion — a user deletes an important email or empties their deleted items folder. If this is discovered within 30 days, Microsoft's built-in recovery may help. After 30 days, the data is permanently gone unless you have an independent backup.

A more serious scenario is a compromised account. If an attacker gains access to a user's Microsoft 365 account, they may delete emails to cover their tracks, set up forwarding rules to exfiltrate data, or encrypt mailbox content. By the time the breach is discovered, the damage may be irreversible without a backup taken before the compromise occurred.

Ransomware that targets cloud data through synchronisation is an increasingly common threat. If a user's device is infected with ransomware, the encrypted files can sync to OneDrive and SharePoint, replacing good copies with encrypted versions. Microsoft's version history can sometimes help here, but a dedicated backup provides a guaranteed clean recovery point.

Employee Departure and Regulatory Investigations

One of the most frequently encountered restore scenarios in UK businesses relates to employee departures. When an employee leaves the organisation, their Microsoft 365 licence is typically reclaimed within 30 days to avoid unnecessary licensing costs. Once the licence is removed, Microsoft deletes the associated mailbox, OneDrive data, and other user-specific content after a grace period. If, several months later, the business discovers it needs access to that former employee's email correspondence — perhaps for a client dispute, a regulatory inquiry, or simply to locate a critical document — the data is gone and Microsoft cannot retrieve it.

This scenario is particularly common in sectors with long limitation periods for legal claims. Employment tribunal claims can be brought up to six months after the relevant event, or considerably longer in some circumstances. Client disputes falling under the Limitation Act 1980 have a six-year limitation window. If an employee who left two years ago was involved in a client project that is now subject to a professional negligence claim, access to their complete historical email correspondence could be essential to mounting an effective defence. Without an independent backup, that evidence is permanently irretrievable.

Regulatory investigations present another compelling use case for comprehensive email backup. HMRC investigations into tax affairs can go back up to 20 years in cases of suspected fraud. The Financial Conduct Authority can request communications records spanning several years as part of an enforcement investigation. The Information Commissioner's Office may request evidence of data processing activities as part of a UK GDPR compliance inquiry. In all of these situations, the ability to produce historical email records from a reliable backup can be the difference between a satisfactory resolution and a damaging financial penalty or enforcement action.

Litigation hold requirements in the UK — where an organisation is obligated to preserve all potentially relevant documents once litigation is reasonably anticipated — also apply to email and electronic communications. If your business receives a litigation hold notice and cannot preserve the relevant emails because they were never backed up, the legal and reputational consequences can be severe. Courts in England and Wales take a dim view of organisations that are unable to produce electronic records due to inadequate data protection practices, and adverse inferences may be drawn against the non-producing party.

Compliance and Data Residency

For UK businesses, data residency is a critical consideration when choosing a backup solution. Under UK GDPR, transferring personal data outside the UK requires appropriate safeguards. Storing your email backup in a UK data centre simplifies compliance by keeping all data within UK jurisdiction.

Most backup solutions allow you to choose the storage location. With Veeam, for example, you can store backups in Azure Blob Storage in the UK South (London) region, ensuring complete UK data residency. Acronis and Barracuda also offer UK-based storage options. Always confirm the storage location before deploying, and document it as part of your data protection records.

Industry-Specific Compliance Requirements

Different UK industries face distinct regulatory obligations that directly affect email backup and retention strategies. Financial services firms regulated by the FCA must retain records of all communications relating to regulated activities, including email correspondence. The FCA's Senior Managers and Certification Regime places personal accountability on named senior individuals for the integrity of their firm's records, making robust email backup not merely a best practice but a personal regulatory obligation. Firms subject to MiFID II regulations face even more stringent requirements, with specific rules governing the recording and retention of communications that relate to client transactions and investment advice.

Legal firms regulated by the Solicitors Regulation Authority have professional obligations around record-keeping that extend comprehensively to email. The SRA requires firms to maintain records demonstrating compliance with the SRA Standards and Regulations, and client communication records form a critical part of this obligation. Legal professional privilege considerations add a further layer of complexity — backed-up email data must be stored securely to maintain the privilege, and access controls on backup data must be sufficiently robust to prevent inadvertent waiver of privilege through unauthorised access.

Healthcare organisations in the UK face some of the most demanding retention requirements of any sector. The NHS Records Management Code of Practice specifies retention periods ranging from 3 years to 30 years depending on the category of health record. Any email communications that form part of a patient's care record are subject to these retention periods in full. For private healthcare providers, GP practices, and dental surgeries, email backup must accommodate these lengthy retention timescales whilst simultaneously complying with the strict data security standards set out in the NHS Data Security and Protection Toolkit.

Even businesses operating outside heavily regulated sectors should carefully consider their exposure to legal discovery obligations. Under the Civil Procedure Rules, parties to litigation may be required to disclose all relevant documents — including emails — as part of the standard disclosure process. If emails have been lost due to inadequate backup arrangements, the court may draw adverse inferences against the party that cannot produce them, potentially undermining an otherwise strong legal position. A properly managed email backup provides the ability to search for and produce relevant correspondence in response to disclosure requests, even for emails that are several years old.

Beyond data residency, your backup solution should support UK GDPR compliance in other ways. It should allow you to search for and delete specific personal data across backups in response to data subject erasure requests. It should provide audit logs showing who accessed backup data and when. And it should encrypt backup data both in transit and at rest, with encryption keys managed securely.