Artificial Intelligence (AI) is reshaping the way organisations operate, with Microsoft 365 Copilot positioned as one of the most significant tools to drive efficiency and productivity. By embedding AI into everyday applications like Word, Excel, Outlook, and Teams, Copilot promises to reduce repetitive tasks and support employees with data-driven insights. However, such benefits come with challenges, especially in the area of privacy and compliance. In December 2024, SURF conducted a Data Protection Impact Assessment (DPIA) to evaluate Copilot. Their findings underline the necessity for organisations to take proactive steps before integrating AI into critical workflows.
Key Privacy Risks Identified
SURF’s DPIA revealed multiple high-risk areas. Although Microsoft has since taken measures to reduce two of the four critical risks, two issues remain unresolved and are therefore highly relevant for organisations considering adoption. First, there is the retention of diagnostic personal data. Diagnostic data often contains metadata or identifiers that can be traced back to individuals, raising concerns about how long Microsoft retains this information and whether organisations can maintain compliance with the GDPR. Second, there are concerns around the accuracy of AI-generated output. Copilot is designed to provide suggestions, summaries, and insights, but inaccuracies in its output may result in misleading information, flawed decision-making, or reputational damage if unchecked. Together, these risks demand careful consideration and robust safeguards at the organisational level.
Governance Framework for AI Tools
To address these risks, organisations must establish a governance framework that ensures AI is deployed responsibly. Governance should start with the designation of clear responsibilities: whether this lies with the Data Protection Officer, the IT Asset Manager, or a cross-functional privacy board. Policies should define the acceptable scope of Copilot use, detailing which departments or job functions are permitted to use the tool, and under what circumstances. Equally important is the implementation of audit and reporting mechanisms to provide transparency into how Copilot is being used, which data it processes, and whether its use aligns with organisational policies and compliance standards. This framework should not be static but should evolve alongside new updates from Microsoft and changing regulatory requirements.
Risk Mitigation Strategies
Risk mitigation requires more than policy̶it requires practical steps embedded into daily operations. Conducting a DPIA tailored to the organisation’s specific Copilot use case is critical. This ensures that risks are assessed in the context of the data types processed, the user groups involved, and the intended purpose of AI use. Supplier agreements with Microsoft should be carefully reviewed to confirm they address privacy obligations, particularly regarding data retention, usage rights, and transparency commitments. Organisations should also enforce technical controls, such as restricting access to sensitive data sources or defining clear retention policies for diagnostic logs. Equally, training employees plays a vital role: users must understandboth the opportunities and the risks of Copilot, recognising when AI output may be inaccurate or when sensitive data should not be processed by the tool. Finally, ongoing reassessment is essential. Technology and regulations evolve quickly, and so must organisational safeguards. A six-month or annual review cycle for Copilot governance will help ensure sustained compliance and trust.
Conclusion
Microsoft 365 Copilot has the potential to revolutionise digital workplaces, but its adoption should not be rushed. The lessons from SURF’s DPIA make clear that risks around privacy and accuracy remain unresolved, and these require organisations to take responsibility for how the tool is implemented. By establishing strong governance, applying clear policies, and embedding risk mitigation strategies into daily operations, organisations can achieve the dual goals of innovation and compliance. In doing so, they will not only unlock the benefits of AI but also build trust with stakeholders, regulators, and employees alike.
Do you still have questions you’d like to see answered? Contact us today and we’ll clarify it all for you.
