Data Compliance When Using MS Copilot

You’ve read the articles about how incredible Copilot is at boosting productivity and efficiency, and now everyone in your organisation is clambering for it. Some of them have tried it, others are keen to, and it makes sense that everyone wants a go.

In Microsoft’s recent Future of Work Report, they found in a Teams Meeting Study, participants with access to Copilot found the task to be 58% less draining than participants without access, and among enterprise Copilot users, 72% agreed that Copilot helped them spend less mental effort on mundane or repetitive tasks.
 
Meanwhile, 80% of executives think automation like AI can be applied to any business decision, but only 18% of organisations believe they are digitally thriving. So, what about the practicalities of implementing Copilot? Most of the people I talk to lack the confidence about what the next steps are and how to roll out Copilot successfully – and securely - across their organisation.
 
There are lots of different AI versions, from Dynamics, Salesforce, Azure, and Service Now to name a few. These new AI tools help you mine data, summarise information, and work smarter. You can also build your own AI tools with Open AI to then use specific company data in the best way for your company.
 
We expect certain things to come out when we use Copilot or similar AI tools. For example, we expect deeper and more relevant search results, and personalised, relevant, and actionable responses. We also expect tenant, group, and user protections, and AI-assisted creativity, productivity, and automation. The key to success is helping users understand how to use data properly – which all starts with policy, governance, and classification to know what you have, then training and follow-through for user adoption.
 
So, let’s dive deeper into how you can be better prepared to implement AI tools and make them work well for your organisation.  

Data Quality

Making sure the data that AI trawls for information is of a high quality, relevant, and not out of date is critical to success. You need to understand first how the AI tools use data and the potential consequences of using old or wrong data.

AI is only as good at the information you put into it and the questions you ask it.
 
First, you will need to gain visibility of all your data sources and start to assess their quality and what can be discarded, what needs updating, and what can be kept. For example, there is no point in AI trawling through PowerPoints to create a new one if the figures in the previous ones are out of date, or through customer ordering information that’s old as it will produce inaccurate data for you.
 
On average, globally, every human creates at least 1.7 MB of data every second, so it’s no wonder 47% of digital workers struggle to find the information needed to effectively perform their jobs. We waste so much time looking for what we need, so, we must all ensure that we only keep what is up-to-date, of use, and relevant. Your company data policies should address these issues.
 
IT teams will need to assess the quality of your data across functions and with various departments in the business. Potentially, many businesses will need to spend considerable time assessing and ‘cleaning up’ their data before they can start using AI effectively.   
 
Organisations should also be aware of ‘dark data’ – the data that is not necessarily immediately visible to an employee or department, but which is still accessible by AI. It could be data that has come across with a migration but is often out of date. Some organisations will have a policy to delete all data that is five or ten years old. Putting in place the right permissions and reviewing your data constantly will be critical to the successful adoption of AI.
 
By working out what data is relevant and strengthening your data quality you will improve your AI results. A data assessment will allow you to ultimately make good decisions on what content to keep, remove, or archive.

Storage

While reviewing your data it’s important to match your storage capabilities and platforms with your data needs to ensure you are not wasting money on storage, but also that you can scale up if needed to allow for the extra compute that running AI requires.
 
It’s also important to ensure you know where your data is stored in M365 and other databases, how they interconnect, what data you need from them, and whether they have the right security in place. For example, archived data can be stored outside Microsoft 365 and Copilot can’t access it, but it can be brought back online should people request it.
 
Within this companies need to ask whether they are using and storing their data in the right way to meet regulatory obligations. All this needs to be set out in an AI strategy document. By having a clear AI strategy in place adoption will become much easier. Without it, the wrong permissions could be granted to employees, and potentially cause a data leak and result in catastrophic damage and fines from regulatory bodies.
 
Data privacy, Compliance & Security
 
Organisations need the right data privacy controls - internally and externally if sharing content. Understanding your regulatory obligations and meeting all GDPR legislations require extra vigilance with Copilot. It will ‘farm’ information from a variety of different sources and databases so it’s key that anyone accessing data has the right permissions in place to meet all your regulatory obligations.
 
Think about the sensitivity of data and consider which data sets need to be locked down and what compliance needs you have as an organisation. For example, identify sensitive data, external users, and links and how items are shared internally. All information can be given a ‘category’ of risk and identified by audience, then IT admin can run assessments and work out to prevent oversharing of sensitive data.
 
Alongside this, it's important to clean up permissions and enforce policies. For example, removing shadow users who have access but haven’t used the data because they have moved department. Who has access to what and how people can set up project teams that have access to certain data sets can all be reviewed and given permissions from the IT team. For example, ‘leases’ can be put on workspaces to allow access to data sets for a certain period only. 
 
Once your data and environment are clean and secure you can then use AI and automation to manage and govern your data.

Adoption 

Training people how to use Copilot properly and understanding what prompts to use for it to come back with useful information is the final part of a successful rollout. With the latest management tools, the IT team can have a clear overview of the people who are licensed to use Copilot and how they are using it. If they are not making the most of it, do they need more training?
 
Employees must also understand the risks around AI-created information and how to ‘check’ its veracity.

For example, if employees are using Chat GPT across internal data are they asking the right questions to retrieve the best answers, and are they checking the data is recent and relevant?
 
In principle, your data should be up to date if you have started your journey with a data assessment so that your AI tools only have access to high-quality data. However, we all know data goes out of date very quickly, so all employees need to be aware through appropriate training not only how to use the tools, but also how to review and assess whether the information that it spits out is useable.

We still need to use our intelligence to assess whether AI has given us useful, useable information or not.
 
The right strategy, policies, and security combined with good training will enable your workforce to make the most of AI and its amazing capabilities.

Mike Bellido is Cloud Solution Architect at CSI Ltd

Image: Ideogram

You Might Also Read: 

Insights From An Early Adopter Of Microsoft 365 Copilot:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« The Dynamic Influence Of AI On Business Cybersecurity
What Will The NIS2 Directive Mean For Smaller Organisations? »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

World Wide Technology (WWT)

World Wide Technology (WWT)

WWT is a technology solution provider in the areas of big data, collaboration, computing and cloud, mobility, networking, security and storage.

CYBERSEC Forum

CYBERSEC Forum

CYBERSEC Forum is an annual European Public Policy Conference dedicated to strategic aspects of cybersecurity.

Culinda

Culinda

Culinda secures medical IoT devices in hospitals with An Artificial Intelligence platform and security gateway.

Capy

Capy

Capy's SaaS-based security solutions will protect your website from bots, spam, humans and more.

Jandnet Recruitment

Jandnet Recruitment

Jandnet Recruitment is a small specialist company working in the IT sector. We recruit across all IT disciplines including cyber security and digital identity.

OurCrowd

OurCrowd

OurCrowd is a leading equity crowdfunding platform for investing in global startups.

Squad

Squad

Squad provides leading expertise to ensure protection against the most complex cyber threats. Combining the best practices of DevOps and Cybersecurity, we are committed to create a secured cyber space

PNGCERT

PNGCERT

PNGCERT is the national Computer Emergency Response Team (CERT) for Papua New Guinea.

Alkira

Alkira

Alkira has reinvented networking for the cloud era by delivering the network cloud, the first global unified network infrastructure with on-demand hybrid and multi-cloud connectivity.

Xmirror Security

Xmirror Security

Xmirror Security focuses on integrated detection and defense of the continuous threat to the DevSecops software supply-chain with artificial intelligence technology as the core.

PixelQA

PixelQA

Are you looking for a security testing company to cross-check whether your software or mobile app has a possible security threat or not?

Forward Global

Forward Global

Forward Global designs and delivers services and technologies to manage digital, economic, and information risks.

Armata Cyber Security

Armata Cyber Security

Armata exists to bring Cyber Security to all people – from home users and SMBs to large enterprises. We believe all users have the right to an affordable yet effective Cyber Security solution.

Standard Notes

Standard Notes

Standard Notes is a secure digital notes app that protects your notes and files with audited, industry-leading end-to-end encryption.

Zynap

Zynap

Zynap is an Advanced AI-powered SaaS platform replicating cybercriminal tactics to predict, detect, and neutralize threats before they strike.

St Fox

St Fox

St. Fox is a leading consultancy helping enterprises secure their Cloud, Data, endpoints, and applications.