Legally compliant email archiving & backups in Microsoft 365 – responsibility, guidelines, tools

In the digital business world, the secure storage of emails is not just an organizational requirement, but a complianceIT compliance describes in corporate management compliance with legal, internal and contractual regulations in the area of the IT landscape. obligation. Anyone using Microsoft Exchange Microsoft Exchange is more than just an e-mail solution, because it offers a diverse range of tools to better structure and organize your daily work. In addition, with its team functions, it makes collaboration and communication in the team much easier. On top of that, there is also the fact that it can be used with the other cloud services… (Microsoft 365) has a good basis – but for complete legal certainty, clear retention guidelines, an audit-proof archive and an independent backup are required. This article explains what needs to be done, who is responsible and how Olbricht IT provides support.

Microsoft Exchange: Good foundation, but not the whole package

Important on-board tools in Microsoft 365:

• Retention policies for controlled deletion/retention
• Litigation hold (legal hold function) for immutability in the event of a dispute
• eDiscovery for targeted search and verification

These functions prevent accidental deletion and help to keep emails in their original state. However, they do not replace independent data backup and are not automatically equivalent to GoBD-compliant email archiving.

Backup vs. archiving – the crucial difference

Feature	Backup	Archiving
Purpose	Protection against data loss (e.g. deletion, ransomware Ransomware is malicious software (malware) designed to prevent you from accessing your own data. This is usually done through encryption or other file locking methods. The data is thus taken hostage in exchange for a ransom – hence the name. source, failure)	Long-term, tamper-proof storage for legal/organizational reasons
Storage duration	Short to medium term (depending on the backup plan)	Long-term (statutory retention periods, e.g. 6/10 years depending on document type)
Structure	Entire systems/data sets are backed up	Structured, searchable filing with traceability
Restoration	Quickly restore to a previous state	Targeted retrieval/tracking of individual e-mails incl. history
Example	Restore a mailbox after accidental deletion	Proof of an e-mail from a previous year during an audit

In short: backup = technical safety net. Archiving = legally compliant long-term storage. Both are needed.

Keepit as an independent backup solution for Microsoft 365

Keepit is a specialized cloud backup solution for Microsoft 365 (Exchange Microsoft Exchange is more than just an e-mail solution, because it offers a diverse range of tools to better structure and organize your daily work. In addition, with its team functions, it makes collaboration and communication in the team much easier. On top of that, there is also the fact that it can be used with the other cloud services…, OneDriveMicrosoft OneDrive is a file hosting service from Microsoft. From our point of view the best cloud storage on the market! Here you can find helpful tips and help with Microsoft OneDrive: OneDrive help and tips You can find the official Microsoft help page here: https://support.microsoft.com/de-de/onedrive mehr erfahren, SharePoint SharePoint is the intranet solution from Microsoft. SharePoint Online SharePoint online (SPO) is usually included in your Microsoft 365 subscription, but can also be purchased directly. SharePoint Online has the advantage that there is no need to operate a separate server, but it lacks the customization options of a self-hosted installation of SharePoint.Although SharePoint Online is limited to core functions…, Teams Microsoft Teams enables practical work in a team at any time, any place. The team members are provided with a wide variety of functions to make their work as simple but efficient as possible. Here you can find a YouTube playlist with helpful training videos! Lerne Microsoft Teams mit uns: https://www.oit.rocks/slides/microsoft-teams-grundkurs-2   mehr erfahren). It supplements the on-board tools with independent data backup:

• Independent storage outside the Microsoft infrastructure (reduces dependencies)
• Automatic backups several times a day and granular recovery
• Versioning and unlimited storage as required
• Fast restore of individual emails, entire mailboxes or complete accounts
• EU storage locations and functions to support GDPR/GoBD requirements
• Tamper protection and traceability

Who is responsible for archiving?

The legal responsibility for proper, legally compliant email archiving always lies with the company. External service providers (e.g. Olbricht IT) or providers (Microsoft, Keepit, archiving systems) can take over the technical implementation, while the complianceIT compliance describes in corporate management compliance with legal, internal and contractual regulations in the area of the IT landscape. responsibility remains with the client.

In particular, the company must:

• select and commission suitable archiving and backup solutions,
• Define and comply with retention periods,
• Regulate access, deletion and checking processes,
• maintain complete documentation (guidelines, procedures, responsibilities),
• carry out and provide evidence of regular checks/audits.

An IT service provider such as Olbricht IT provides support with design, implementation, training, operation and documentation – including evidence for internal/external audits.

Documentation in quality management (QM manual)

To ensure that processes are auditable, e-mail archiving should be included in the QM manual, e.g. with:

• Objective & scope: Which mailboxes, systems and data are covered?
• Roles & responsibilities: Department, IT, data protection, audit
• Retention periods: according to document type (e.g. commercial, tax-related, project-related communication)
• Technical implementation: archive solution, storage locations, backup concept, integrity/immutability
• Processes: Recording, search, export, legal hold, deletion after deadline
• Controls: regular tests, protocols, responsible persons, escalation
• Training & awareness: guidelines for employees (e.g. do not delete or bypass emails privately)

Sample: Retention policy (extract)

1. Purpose: To ensure legally compliant, tamper-proof e-mail storage.
2. Scope: All business e-mail inboxes of the organization (incl. functional mailboxes).
3. Classification: Classification according to relevance (tax-relevant, commercial, technical, project-related).
4. Periods: Retention in accordance with legal requirements and internal requirements (e.g. 6/10 years, longer depending on the project).
5. Technology: Use of an audit-proof archive solution; immutability and logging must be ensured.
6. Access: Role-based; information only by authorized persons (e.g. ComplianceIT compliance describes in corporate management compliance with legal, internal and contractual regulations in the area of the IT landscape./Legal/Audit).
7. Deletion: verifiable and documented after expiry of the deadlines; deletion blocks (legal hold) if required.
8. Backup: Independent data backup (e.g. Keepit) in addition to the archive; regular restore tests.
9. Controls: Annual effectiveness check, logging, action plan in the event of deviations.
10. Training: Mandatory instructions for affected employees, onboarding check.

Archiving tools (selection)

• Microsoft 365 Purview (Retention/Records Management) – Guidelines & Legal Hold in the M365 Suite
• MailStore Server – widespread email archiving for SMEs
• Hornetsecurity Email Archiving – Cloud archiving with journal capture
• Barracuda Message Archiver – Appliance/Cloud Archive for Email ComplianceIT compliance describes in corporate management compliance with legal, internal and contractual regulations in the area of the IT landscape.

Note: The final choice of tool depends on size, industry, legal framework and IT landscape.

Recommendation from Olbricht IT

1. Workshop & requirements analysis: deadlines, data classes, processes, verification obligations
2. Design & tool selection: Archive + independent backup (e.g. Keepit)
3. Implementation: guidelines, journal entry, roles/rights, monitoring
4. Documentation: QM manual chapters, process diagrams, checklists
5. Training & audit preparation: awareness, protocols, annual reviews

Conclusion

Microsoft Exchange Microsoft Exchange is more than just an e-mail solution, because it offers a diverse range of tools to better structure and organize your daily work. In addition, with its team functions, it makes collaboration and communication in the team much easier. On top of that, there is also the fact that it can be used with the other cloud services… provides a solid basis – legal certainty only arises through audit-proof archiving plus an independent backup. ComplianceIT compliance describes in corporate management compliance with legal, internal and contractual regulations in the area of the IT landscape. responsibility lies with the company; Olbricht IT ensures smooth, auditable implementation.

Ready to set this up cleanly? We provide support from strategy to audit verification. Request advice now!

No legal advice: This article does not replace individual legal advice. For binding statements, please consult your legal or tax advisor.

Dieser Beitrag ist auch verfügbar auf: Deutsch (German)