GDPR for Exchange Server
As part of safeguarding personal information, we recommend the following:
- Use Retention Tags and Policies in Exchange Server to implement an email life cycle policy.
- Deploy Information Rights Management to limit who has access to information stored in Exchange Server.
- Enable BitLocker encryption on your servers.
Identifying In-scope Content
Exchange uses two primary storage repositories for end user generated content: mailboxes and public folders. Content stored in an individual user's mailbox is uniquely associated to that user and represents their default repository within Exchange. The data stored in a user mailbox includes content created using Outlook, Outlook on the web (formerly known as Outlook Web App), Exchange ActiveSync, Skype for Business clients and other third-party tools that connect to Exchange servers using POP, IMAP or Exchange Web Services (EWS). Examples of these items include: messages, calendar items (meetings and appointments), contacts, notes and tasks. Deleting an individual user's mailbox removes content generated by or sent directly to the user in the context of their mailbox. You can delete user mailboxes by using the Exchange admin center (EAC) or the Remove-Mailbox cmdlet in the Exchange Management Shell.
Note: The Permanent parameter on the Remove-Mailbox cmdlet should be used with caution as the data will not be recoverable if this option is used.
Exchange also provides shared mailboxes that allow one or more users access to send and receive content that's stored in a common mailbox. The shared mailbox is a unique entity that's not associated with a single account. Instead, multiple users are granted access to send, receive and review email content in the shared mailbox. Shared mailboxes are administered using the Exchange admin center and the same cmdlets used to manage regular user mailboxes. If you need to remove individual messages from a mailbox, there are different options available depending upon the version of Exchange. In Exchange Server 2010 and 2013, you can use the Search-Mailbox cmdlet with the DeleteContent parameter to identify and remove messages from a mailbox. In Exchange Server 2016 and later, you need to use the New-ComplianceSearch functionality.
Public folders are a shared storage implementation that's not associated with a specific user. Instead, users are granted access to public folders to generate content. The actual implementation of public folders varies depending upon the version of Exchange (Exchange Server 2010 uses a different implementation than Exchange Server 2013 and later). Limited tools exist to manage the content in public folders. Client tools (for example, Outlook) are the primary mechanism for managing content in public folders. There are cmdlets for managing public folder objects, but not for managing individual content items within the public folder. A custom script that leverages Exchange Web Services (EWS) or other third-party tools will likely be needed to manage individual public folder items.
The primary requirement will likely be managing individual user mailbox content. This requirement will be easily addressed through the graphical or cmdlet-based tools that you regularly use to manage mailboxes. If you need to process content across multiple mailboxes or types of resources, eDiscovery is the preferred mechanism within Exchange to identify in-scope content.
Deleted Item Retention
When you delete individual messages or items from a mailbox (not the entire mailbox or public folder resource itself) the content is retained in a recoverable form based on the value of the DeletedItemRetention parameter for the mailbox database or public folder database. The default value is 14 days, but this value is configurable by an Exchange administrator.
Removing Soft-Deleted and Disconnected Mailboxes
When an Exchange mailbox is disabled, deleted or moved between databases (for example, as a part of load balancing), the mailbox is placed into a disabled, soft-deleted or disconnected state depending on the operation. While the mailbox is in any of these states, Exchange maintains the mailbox (which includes its contents) based on the current value of the MailboxRetention parameter that's specified on the mailbox database. The default value is 30 days, but this value is configurable by an Exchange administrator. You can use the Remove-StoreMailbox cmdlet to force Exchange to permanently remove (purge) all data associated with a mailbox prior to the retention period expiring naturally.
Important
Use the Remove-StoreMailbox cmdlet with caution as it results in an unrecoverable loss of data for the target mailbox.
On-Prem to Cloud Migrations
While migrating data from Exchange Server to Exchange Online, migrated data may continue to reside on the source on-premises Exchange Server in a form that's recoverable by an Exchange administrator. By default, this data will be automatically removed from the database within 30 days (see the Removing Soft-Deleted and Disconnected Mailboxes section above).
Automatic Data Collection Reported to Microsoft by Exchange Server
Exchange Servers deployed in on-premises environments do not provide any type of automated reporting or end user data capture to Microsoft. Exchange Servers that have Watson crash dump reporting enabled in the Windows Operating System may receive limited contents of memory at the time the crash report is produced.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for