{"id":1077498,"date":"2025-09-16T09:07:34","date_gmt":"2025-09-16T08:07:34","guid":{"rendered":"https:\/\/pulse.microsoft.com\/?p=1077498"},"modified":"2026-05-28T16:36:26","modified_gmt":"2026-05-28T15:36:26","slug":"fa2-update-microsoft-365-copilot-dpia-slm-and-surf-advise-responsible-adoption","status":"publish","type":"post","link":"https:\/\/pulse.microsoft.com\/nl-nl\/transform-nl-nl\/government-nl-nl-2\/fa2-update-microsoft-365-copilot-dpia-slm-and-surf-advise-responsible-adoption\/","title":{"rendered":"Update: DPIA for Microsoft 365 Copilot Completed: Deployment in the Public Sector Remains Possible\u202f\u00a0"},"content":{"rendered":"

Update \u2013\u00a027\u00a0May\u00a02026\u202f<\/span><\/p>\n

The latest reassessment of the Data Protection Impact Assessment (DPIA) for Microsoft 365 Copilot by SLM (Strategic Vendor Management of the Dutch Ministry of Justice) and SURF (the ICT cooperative representing Dutch education and research institutions) confirms the earlier findings: the recommendation remains unchanged, and the responsible use of Copilot within educational and government organizations continues to be possible.\u202f<\/span>\u00a0<\/span><\/p>\n

The analysis shows that the four previously\u202fidentified\u202fhigh risks have now been mitigated or reduced. These improvements enable organizations to implement Microsoft 365 Copilot responsibly. Microsoft believes that Microsoft 365 Copilot can be used in compliance with the General Data Protection Regulation (GDPR).\u202f<\/span>\u00a0<\/span><\/p>\n

Implementation of Microsoft 365 Copilot in the Public Sector\u202f<\/span><\/b>\u00a0<\/span><\/p>\n

While the DPIA outcomes support implementation, they also emphasize that responsible AI adoption requires more than technology alone. A clear AI strategy, strong governance, and targeted user guidance remain essential to\u202fsafely and effectively realize the value of generative AI.\u202f<\/span>\u00a0<\/span><\/p>\n

In their assessment, SLM and SURF\u202fidentified\u202ftwo remaining medium-level risks:\u202f<\/span>\u00a0<\/span><\/p>\n

    \n
  1. Accuracy of generative AI output<\/span><\/b>\u202f<\/span>
    \nMicrosoft believes that Microsoft 365 Copilot can be used\u202fin accordance with\u202fthe GDPR\u2019s accuracy principle. Microsoft 365 Copilot is designed to support users, not to make decisions on their behalf. It therefore\u202fremains\u202fimportant that users review outputs and interpret them in context. Organizations\u202fare responsible for\u202fensuring that users understand that Microsoft 365 Copilot is a generative AI tool.\u202f<\/span><\/li>\n<\/ol>\n

    The DPIA explicitly references the Workplace Harm filter that is active within the product. Microsoft introduced this capability in dialogue with Works Councils around the world. The filter helps prevent generative AI models from drawing conclusions, judgments, or evaluations about employees based on workplace communications. More information can be found in this\u00a0<\/span>blog<\/span><\/a>.<\/span>\u00a0<\/span><\/p>\n

      \n
    1. Retention period for diagnostic data\u202f<\/span><\/b>
      \nMicrosoft\u202fcomplies with\u202fdata minimization obligations under Article 5 of the GDPR, meaning that personal data may not be\u202fretained\u202flonger than necessary for the purposes for which it was collected. Microsoft has implemented a<\/span>      general policy<\/span><\/a>\u00a0to\u202fretain\u202fdiagnostic\u202fdata for Microsoft 365 apps and services,\u00a0including Microsoft 365 Copilot for a maximum of\u00a018 months.\u202f<\/span>\u00a0<\/span><\/li>\n<\/ol>\n

      It is important to note that diagnostic data refers to data used to keep services secure, up to date, and functioning as expected, and does not include customer data.\u202f<\/span>\u00a0<\/span><\/p>\n

      Secure and Responsible AI Use\u202f<\/span><\/b>\u00a0<\/span><\/p>\n

      At this time, Microsoft 365 Copilot is the only AI solution in the Netherlands that has undergone a full DPIA assessment. A public and substantiated risk framework is available, including concrete mitigating measures.\u202f<\/span>\u00a0<\/span><\/p>\n

      Microsoft emphasizes the importance not only of responsible AI use, but also of secure AI use. Alongside compliance considerations, organizations should continue to weigh the security risks associated with uncontrolled \u201cbring your own AI\u201d solutions. A clear AI policy and a validated solution are\u202fan important\u202ffirst\u202fstep.\u202f<\/span>\u00a0<\/span><\/p>\n

      We invite organizations to actively collaborate with Microsoft teams so we can share best practices, lessons learned, and skilling tools to support the responsible implementation of Microsoft 365 Copilot.\u202f<\/span>\u00a0<\/span><\/p>\n

      \u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

      Update \u2013\u00a027\u00a0May\u00a02026\u202f The latest reassessment of the Data Protection Impact Assessment (DPIA) for Microsoft 365 Copilot by SLM (Strategic Vendor […]<\/p>\n","protected":false},"author":932,"featured_media":1077453,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"class_list":["post-1077498","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","specials-transform-nl-nl","verticalIndustries-government-nl-nl-2","stories-business-optimization-nl-nl","stories-how-do-i-make-sure-that-i-dont-lose-my-data-nl-nl-business-optimization-nl-nl","businessPriorities-digital-transformation-nl-nl"],"_links":{"self":[{"href":"https:\/\/pulse.microsoft.com\/nl-nl\/wp-json\/wp\/v2\/posts\/1077498"}],"collection":[{"href":"https:\/\/pulse.microsoft.com\/nl-nl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pulse.microsoft.com\/nl-nl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pulse.microsoft.com\/nl-nl\/wp-json\/wp\/v2\/users\/932"}],"replies":[{"embeddable":true,"href":"https:\/\/pulse.microsoft.com\/nl-nl\/wp-json\/wp\/v2\/comments?post=1077498"}],"version-history":[{"count":8,"href":"https:\/\/pulse.microsoft.com\/nl-nl\/wp-json\/wp\/v2\/posts\/1077498\/revisions"}],"predecessor-version":[{"id":1100014,"href":"https:\/\/pulse.microsoft.com\/nl-nl\/wp-json\/wp\/v2\/posts\/1077498\/revisions\/1100014"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pulse.microsoft.com\/nl-nl\/wp-json\/wp\/v2\/media\/1077453"}],"wp:attachment":[{"href":"https:\/\/pulse.microsoft.com\/nl-nl\/wp-json\/wp\/v2\/media?parent=1077498"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pulse.microsoft.com\/nl-nl\/wp-json\/wp\/v2\/categories?post=1077498"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}