Voer een solide risicoanalyse uit
De grote vraag is: als je nu de cloud in gaat, hoe adresseer je risico’s? Dat kunnen privacy-risico’s en informatiebeveiligingsrisico’s […]
Update: DPIA for Microsoft 365 Copilot Completed: Deployment in the Public Sector Remains Possible
Michael Kimmijser
Public Sector Lead
Update – 27 May 2026
The latest reassessment of the Data Protection Impact Assessment (DPIA) for Microsoft 365 Copilot by SLM (Strategic Vendor Management of the Dutch Ministry of Justice) and SURF (the ICT cooperative representing Dutch education and research institutions) confirms the earlier findings: the recommendation remains unchanged, and the responsible use of Copilot within educational and government organizations continues to be possible.
The analysis shows that the four previously identified high risks have now been mitigated or reduced. These improvements enable organizations to implement Microsoft 365 Copilot responsibly. Microsoft believes that Microsoft 365 Copilot can be used in compliance with the General Data Protection Regulation (GDPR).
Implementation of Microsoft 365 Copilot in the Public Sector
While the DPIA outcomes support implementation, they also emphasize that responsible AI adoption requires more than technology alone. A clear AI strategy, strong governance, and targeted user guidance remain essential to safely and effectively realize the value of generative AI.
In their assessment, SLM and SURF identified two remaining medium-level risks:
- Accuracy of generative AI output
Microsoft believes that Microsoft 365 Copilot can be used in accordance with the GDPR’s accuracy principle. Microsoft 365 Copilot is designed to support users, not to make decisions on their behalf. It therefore remains important that users review outputs and interpret them in context. Organizations are responsible for ensuring that users understand that Microsoft 365 Copilot is a generative AI tool.
The DPIA explicitly references the Workplace Harm filter that is active within the product. Microsoft introduced this capability in dialogue with Works Councils around the world. The filter helps prevent generative AI models from drawing conclusions, judgments, or evaluations about employees based on workplace communications. More information can be found in this blog.
- Retention period for diagnostic data
Microsoft complies with data minimization obligations under Article 5 of the GDPR, meaning that personal data may not be retained longer than necessary for the purposes for which it was collected. Microsoft has implemented ageneral policy to retain diagnostic data for Microsoft 365 apps and services, including Microsoft 365 Copilot for a maximum of 18 months.
It is important to note that diagnostic data refers to data used to keep services secure, up to date, and functioning as expected, and does not include customer data.
Secure and Responsible AI Use
At this time, Microsoft 365 Copilot is the only AI solution in the Netherlands that has undergone a full DPIA assessment. A public and substantiated risk framework is available, including concrete mitigating measures.
Microsoft emphasizes the importance not only of responsible AI use, but also of secure AI use. Alongside compliance considerations, organizations should continue to weigh the security risks associated with uncontrolled “bring your own AI” solutions. A clear AI policy and a validated solution are an important first step.
We invite organizations to actively collaborate with Microsoft teams so we can share best practices, lessons learned, and skilling tools to support the responsible implementation of Microsoft 365 Copilot.
