Get Copilot ready(-ish) – with Microsoft Purview

Copilot is now – finally – working with the Norwegian language, among 15 others (Supported languages for Microsoft Copilot – Microsoft Support).

That’s awesome, but I’m also pretty worried about some things.

Since the introduction of Copilot for Microsoft 365, I have participated in numerous workshops focused on Copilot readiness. It is concerning to observe that many organizations do not seem to prioritize it adequately, often lacking control over their data without a clear strategy in place. And this is not only a Copilot problem, but an overall data integrity problem.

Though Copilot won’t give you more access than you already have, it will expose data that you didn’t know you had access to.

For example, our Identity numbers are, according to GDPR, personal data that should be stored with a high level of protection due to their sensitive nature. It also says that it should be collected and stored if it’s absolutely necessary and for an intended purpose.

Another important aspect is that suitable technical and organizational measures have to be applied and access to personal data must be restricted to only those who are authorized.

I argue that many organizations are not compliant with the regulations for keeping personal data. I sincerely hope that someone can show me that I’m mistaken – that would make me incredible happy!

So, how do we proceed to make sure our data is safer?

Let me just point out that you will never be 100% completely secure, there is so much more than securing data – just read all Per-Torbens posts, the threat is real now!

What we can do, is make sure that we know our data, know where the different data types are stored and make sure that we protect it with the tools available.

Let me point out the steps in a more detailed manner.

Access: Who is granted access and to which elements do they have rights?
It is possible to securely store sensitive data within a team by ensuring robust access control measures are in place. This includes limiting the team’s ability to share and download content, thereby safeguarding the information.

Entra ID Access Packages is a tool which can help you protect your data by gaining complete control over which users has access and for how long.

Prepare Your Data: As far as possible, make sure that you label your data, so that sensitive data get the right label and restrictions. You could have sensitiv data and use a label on it that makes it impossible to share with externals via email, or that it can be shared with people outside a certain team for example.

Get your organization’s information ready for search and look at the possibility to remove certain SharePoint sites from search. Be aware that removing a site from search also make the site unavailable for search from Microsoft365 regular searches. Not only via Copilot. So that must be used as a last resort.

Dare to delete data: This is a tricky one, we are after all, a bunch of hoarders, who don’t have confidence in our systems, so we ensure that we have a backup of everything. And we will never risk deleting someone else’s data that has been there for a decade, but the person who created that data left five years ago…

To assist with deleting data, you can apply retention policies and configure them to automatically remove data from a specific site after a certain amount of time. For instance, in teams where people produce documents that are transferred to different systems once they are done, and that don’t need to stay in M365 after that task is finished.

The same retention policies could be used to help you preserve documents from deletion, if a set of data is required for a certain amount of time, you can use the retention policies to make sure data is not deleted from set sites.

Next post will be “Get Copilot ready(-ish) – with labels” – keep watching!