Update Microsoft 365 Copilot DPIA: SLM and SURF advise responsible adoption.  

Update – September 15, 2025 

We are pleased to share a significant update regarding the deployment of Microsoft 365 Copilot within Dutch government and educational organizations. Following extensive collaboration and ongoing dialogue with SLM (Strategic Vendor Management of the Dutch Ministry of Justice) and SURF (ICT cooperative representing Dutch education and research institutions), both organizations have now revised their previous guidance. Based on improvements and additional measures implemented by Microsoft over the last 9 months, SLM and SURF concluded that the previously identified four high risks have been mitigated or reduced. These improvements enable organizations to deploy Microsoft 365 Copilot responsibly. 

Possible Microsoft 365 Copilot implementation in Public Sector 

The mitigations that led to a revised impact assessment is enabling government organizations and educational institutions to start deploying Microsoft 365 Copilot. Just like SLM and SURF advise, Microsoft will continue to be a partner for our public sector customers to responsibly look at the implementations in their organizations. Implementing a clear AI strategy is one of the key elements in leveraging AI tools like Microsoft 365 Copilot to generate impact in a responsible manner. 

In their assessment, SLM and SURF have identified two remaining medium risks. These topics require additional attention in the implementation process:  

1. Accuracy of Generative AI Output:Microsoft’s perspective is that Microsoft 365 Copilot can be used in compliance with the General Data Protection Regulation (GDPR) accuracy principle. Microsoft demonstrated significant investments, such as grounding, citations and the recent ISO 42001 certification, and will continue to invest in this topic. Our perspective remains that both Microsoft and organizations themselves have a shared responsibility to address potential risks related to inaccurate generative AI output. Organizations have a responsibility to educate their users to understand that Microsoft 365 Copilot is a generative AI tool. It is intended to assist users and is not intended to, and should not be used to, replace user decision-making. We take customer feedback and suggestions from SLM and SURF seriously, so we are committed to implementing additional technical measures to experience and controls related to accuracy. We will discuss these according to our agreed timeline in conversation with SLM and SURF. 

2. Retention of Diagnostic Data:Microsoft adheres to data minimization obligations under GDPR Article 5, which requires that Microsoft not retain personal data beyond the period for which it’s required. Microsoft has implemented a general policy to retain diagnostic event data for Microsoft 365 apps and services, including Microsoft 365 Copilot, for up to 18 months. It’s important to call out that Diagnostic data refers to data, which is used to keep our services secure, up-to-date and running as expected and does not contain customer data. 

We welcome the ongoing dialogue with SLM, SURF, and all stakeholders. We are very pleased with the steps we have been able to take in this continuous process. Our shared goal is to empower organizations to harness the benefits of AI while maintaining trust, transparency, and compliance. We invite companies to actively partner with the Microsoft teams in which we can share best practices, learnings and skilling tools to enable the responsible implementation of Microsoft 365 Copilot. Leveraging the great benefits of AI. Microsoft is taking customer feedback from SLM and SURF seriously and we will be continuing the conversation to continuously improve our services.