AI-enabled chat services such as Microsoft Copilot (and ChatGPT, Gemini, Claude, etc …), present organisations with significant opportunities for enhanced productivity and smarter workflows. However, employing these technologies responsibly is crucial for any organisation that values security and safeguarding sensitive information. Where is the balance between keeping competitive by making use of these exciting new technologies and not overstepping boundaries in data protection, organisational compliance, and privacy? Let’s examine key considerations and details of how Microsoft 365 Copilot addresses these concerns.
Microsoft 365 Copilot integrates generative AI into everyday productivity tools while upholding stringent security and compliance standards. Operated within Microsoft's established compliance framework, Copilot honours user permissions, enforces data residency requirements, and adheres to international regulations, including GDPR and ISO standards.
Copilot maintains robust privacy measures by not using organisational data to train its models. The application of sensitive data labels, encryption protocols, and inherited compliance attributes ensures that content generated remains protected and in accordance with organisational policies.
How Microsoft 365 Copilot Ensures AI Compliance
1. Data Access & Permissions
- Operates within your Microsoft 365 tenant.
- Accesses only content the signed-in user can view (SharePoint, OneDrive, Outlook).
- No cross-tenant data access.
2. Security and Encryption
- Data is encrypted at rest and in transit.
- Compliance with GDPR, ISO/IEC 27018, SOC 2.
3. Data Residency
- Processing occurs within your tenant’s geographic data boundary.
4. Privacy & Model Training
- Prompts and responses are not used to train foundation models.
- No storage or reuse of user data outside session context.
5. Sensitivity Labels & Rights Management
- Respects Microsoft Purview sensitivity labels and IRM encryption.
- Generated content inherits the most restrictive sensitivity label.
6. Compliance Certifications
- GDPR
- ISO/IEC 27001 & 27018
- SOC 1, SOC 2
- Microsoft Data Protection Addendum
7. Scope of Access in Apps
- In Word, Copilot can read the entire open document unless restricted to selected text.
- Does not access unrelated files unless explicitly referenced.
Learn More from Official Microsoft Documentation
- Data, Privacy, and Security for Microsoft 365 Copilot. Explains how Copilot uses organisational data, data residency commitments, GDPR compliance, and privacy protections. Read here
- Enterprise Data Protection in Microsoft 365 Copilot and Copilot Chat. Covers encryption, tenant isolation, GDPR, EU Data Boundary, sensitivity labels, and audit capabilities. Read here
- Security for Microsoft 365 Copilot. Details Microsoft’s multi-layered security approach, Responsible AI principles, and compliance by design. Read here
- Manage Compliance with Microsoft Purview for Copilot. Explains auditing, eDiscovery, retention, and risk management for Copilot interactions. Read here
- Use Microsoft Purview to Manage Data Security & Compliance for Copilot. Lists supported compliance capabilities like sensitivity labels, DLP, insider risk management, and DSPM for AI. Read here
FAQ
- Primary Context: Selected text is the focus
- Secondary Context: Surrounding content may be considered for tone and coherence.
- What It Does NOT Do:
- Does not pull unrelated content from other documents.
- Does not override sensitivity labels or permissions.
Certainly. Businesses ought to inform users that session data is only temporary and will not be stored after their interaction ends. Nonetheless, since this data may include sensitive information, it should always be handled with care.
Copilot interactions are logged and can be audited through Microsoft Purview. Businesses should enable auditing and eDiscovery policies to maintain compliance and monitor usage.
No. Copilot operates strictly within your Microsoft 365 tenant and does not share data across tenants or with external organisations.
Copilot respects existing sharing permissions. If a document is shared externally, Copilot only uses the content the signed-in user has access to and does not expose additional data.
Yes. Access is managed through Microsoft 365 licensing and role-based access controls, allowing administrators to enable or restrict Copilot for specific users or groups. Ensure your access policies and role-based permissions are properly configured before enabling Copilot.
ITBasecamp acknowledges the traditional owners and custodians of the country in this area and pay our respects to elders past, present and emerging. The South Coast of New South Wales where we live is Yuin country but indigenous people here come from a number of different groups including Brinja-Yuin, Budawang, Jerrinja, Murramarang, Walbunja, Wandandian and Wodi Wodi. We recognise their continuing connection and contribution to this land.