Is OneDrive a Backup? What Irish Businesses Need to Know About M365 Data Protection
Most Irish businesses assume Microsoft 365 or OneDrive is backing up their data. It isn't. Here's the difference between sync and backup-and what to do about it.
It’s one of the most common assumptions we encounter when talking to Irish SMEs: “Sure, we’re on Microsoft 365-everything goes to OneDrive.”
It’s understandable. Microsoft 365 is excellent software, and OneDrive genuinely does keep your files accessible across devices. But accessible is not the same as backed up, and the distinction matters enormously when something goes wrong.
The difference between sync and backup
Understanding why this matters starts with understanding the difference between the two concepts.
Synchronisation means your files are kept consistent across multiple locations. When you save a document on your laptop, it appears on your desktop and your phone. When you delete it-or when ransomware encrypts it-that change also syncs to every connected location, including the cloud.
Backup means an independent, point-in-time copy is stored somewhere separate, with its own retention policy. A backup is specifically designed to be unaffected by what happens to the original.
OneDrive is a sync service. It is not a backup. Microsoft’s own documentation says as much.
What Microsoft actually promises you
Microsoft operates a Shared Responsibility Model for Microsoft 365. This is documented in their service agreements and is important to understand:
| Microsoft’s responsibility | Your responsibility |
|---|---|
| Infrastructure uptime | Your data |
| Application availability | Recovery from user errors |
| Platform security | Recovery from malicious deletion |
| Short-term recycle bins | Long-term retention |
In practice, this means:
- Deleted items are kept in the Recycle Bin for 93 days for SharePoint and OneDrive. After that, they are permanently deleted.
- Deleted mailboxes are recoverable for 30 days after the licence is removed. After that, the data is gone.
- Deleted Teams channels and chats may not be recoverable at all beyond short retention windows, depending on your licence tier.
- Version history in SharePoint keeps previous versions-but by default only for 500 versions or the last 30 days.
There is no long-term, independent backup of your Microsoft 365 data included in any standard M365 subscription.
What this looks like in practice for an Irish business
Consider a few common scenarios:
A staff member leaves. Their Microsoft 365 licence is removed to cut costs. Thirty days later, their emails, OneDrive files, and Teams conversations are gone. If those files contained client correspondence, project documents, or contractual records-they’re gone too.
A ransomware attack encrypts files on a shared drive. The encrypted versions sync to SharePoint and OneDrive immediately. The unencrypted originals exist in version history-but only for 500 versions or 30 days. If the attack isn’t detected in time, or affected too many files, recovery from version history alone may not be possible.
An employee accidentally deletes a folder of invoices. It sits in the SharePoint Recycle Bin for 93 days-but your accounts team doesn’t notice until day 100. The data is gone with no recovery path from Microsoft.
In all three cases, a third-party backup would have meant full, point-in-time recovery with no data loss.
GDPR obligations for Irish businesses
Article 32 of the GDPR requires data controllers and processors to implement:
“the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.”
The Irish Data Protection Commission (DPC) expects this to be a documented, tested, and maintained capability-not a theoretical one.
If your business stores client data, employee records, or any other personal data in Microsoft 365 (and almost every Irish business does), you need to be able to demonstrate that you can restore that data after a failure. A screenshot of your OneDrive showing files are synced does not constitute a backup for the purposes of Article 32.
A proper third-party backup of your Microsoft 365 environment does.
What a proper M365 backup looks like
A genuine Microsoft 365 backup solution:
- Connects directly to your M365 tenant via Microsoft’s APIs
- Takes daily (or more frequent) snapshots of Exchange mailboxes, OneDrive, SharePoint, and Teams
- Stores those snapshots independently of Microsoft-so they’re unaffected by anything that happens in your M365 environment
- Provides granular restore-restore a single email, a folder, a site, or an entire mailbox
- Retains data for months or years, not just 30–93 days
- Stores data in an EU location to simplify GDPR compliance
Recommended: CloudAlly for Microsoft 365
CloudAlly is one of the most established third-party backup services for Microsoft 365. It covers Exchange Online, OneDrive, SharePoint, Teams, and Microsoft 365 Groups-with unlimited retention and EU data storage included.
What it covers:
- Exchange Online (all mailboxes, including shared)
- OneDrive for Business
- SharePoint Online sites
- Microsoft Teams channels and conversations
- Microsoft 365 Groups
Pricing: Starts from approximately €3–€4 per user per month depending on plan and scale, with discounts for annual billing.
Why it matters for GDPR: CloudAlly stores backup data in EU data centres and provides the granular restore capability that Article 32 requires. It also provides audit logs, which can be useful in demonstrating compliance to the DPC if you ever need to.
For a full overview of cloud-to-cloud backup, see our SaaS backup guide.
What about Microsoft 365 Backup (the paid add-on)?
Microsoft now offers a paid backup product called Microsoft 365 Backup, available as an add-on through the Microsoft 365 Admin Centre. It covers SharePoint, OneDrive, and Exchange Online with restore points going back up to 180 days.
This is better than nothing-and for organisations already deep in the Microsoft ecosystem, it’s worth considering. However:
- It costs extra per user per month on top of your existing M365 licence
- The 180-day retention limit may not satisfy long-term compliance requirements
- Data still lives within the Microsoft environment, not truly independent storage
- Teams chats and other workloads have limited or no coverage
For most Irish SMEs, a third-party solution like CloudAlly gives you more flexibility, longer retention, and simpler compliance documentation for a comparable or lower price.
Action checklist
- Identify what data you have in Microsoft 365 (mailboxes, OneDrive, SharePoint, Teams)
- Check your current retention policies in the M365 Admin Centre
- Assess whether your existing retention windows meet your GDPR obligations
- Set up a third-party backup for your M365 environment
- Document your backup and recovery capability (frequency, retention, tested restore)
- Review quarterly-especially when staff leave or licences are removed
For more on protecting your business data, see our Irish business backup guide.