Microsoft Copilot integrates with Microsoft 365 services and uses large language models to generate responses based on your organization’s data. Customers subject to the General Data Protection Regulation need to understand how Copilot handles personal data, where it processes data, and what controls exist to meet compliance obligations. This article explains the key GDPR compliance features of Copilot, including data residency, data processing boundaries, and the tools administrators can use to manage compliance. It also covers common misconceptions and the steps your organization should take to remain compliant.
Key Takeaways: GDPR Compliance for Microsoft Copilot
- Microsoft 365 admin center > Copilot > Data processing boundary: Controls whether Copilot processes data within the EU Data Boundary or outside it.
- Microsoft Purview compliance portal > Audit > Copilot interactions: Logs all Copilot queries and responses for data protection impact assessments.
- Data Subject Rights (DSAR) automation: Use Microsoft Purview eDiscovery to search and export Copilot data for subject access requests.
Why GDPR Compliance Matters for Copilot
Copilot processes user prompts and organizational data to generate responses. When that data includes personal information such as names, email addresses, or HR records, GDPR obligations apply. The core risk is that Copilot may inadvertently expose personal data to unauthorized users or process data outside the European Economic Area without proper safeguards. Microsoft has designed Copilot to run within the Microsoft 365 compliance boundary, which means it inherits the same data processing commitments as Microsoft 365 itself. However, administrators must configure several settings to ensure compliance with Articles 5, 28, and 32 of the GDPR.
Data Processing Boundary and Data Residency
Copilot uses the same data processing boundary as Microsoft 365. By default, Copilot processes data in the region where your tenant is provisioned. For EU tenants, Microsoft offers the EU Data Boundary, which ensures that all data processing for Copilot stays within the European Union or European Economic Area. Administrators can verify this setting in the Microsoft 365 admin center under Settings > Org settings > Security & privacy > Data processing boundary. If your tenant is outside the EU, Copilot may process data in a different region. To maintain GDPR compliance, ensure your tenant is set to the EU Data Boundary if your users are based in the EU.
Data Subject Access Requests and eDiscovery
Under GDPR Article 15, individuals have the right to access their personal data. Copilot stores user prompts and generated responses in the Microsoft 365 audit log. Administrators can use Microsoft Purview eDiscovery to search for Copilot interactions related to a specific user. The search covers prompts, responses, and any attached data that Copilot accessed. To run a search, go to Microsoft Purview compliance portal > eDiscovery > Content search. Create a search query with the user’s email address and the keyword “Copilot” in the subject field. Export the results to provide to the data subject within the required one-month timeframe.
Steps to Configure Copilot for GDPR Compliance
Follow these steps to align Copilot with your organization’s GDPR obligations.
- Verify your tenant region
Go to Microsoft 365 admin center > Settings > Org settings > Organization profile. Under Data location, confirm that your primary data location is in a GDPR-compliant region such as the EU or the United Kingdom. - Enable the EU Data Boundary
In the admin center, navigate to Settings > Org settings > Security & privacy > Data processing boundary. Select EU Data Boundary. This ensures Copilot processes all prompts and responses within the EU. - Turn on audit logging for Copilot
Go to Microsoft Purview compliance portal > Audit. Under Audit log, enable the Copilot interaction event category. Select CopilotActivity from the Activities list and click Start recording. This logs every user interaction with Copilot. - Configure data retention for Copilot logs
In the Purview portal, go to Data lifecycle management > Retention policies. Create a retention policy for Copilot audit logs. Set the retention period to match your organization’s data retention schedule under GDPR Article 5. - Restrict Copilot access to sensitive data
Use Microsoft Purview Information Protection to label sensitive documents. Copilot respects sensitivity labels. If a document is labeled “Confidential” or “Highly Confidential,” Copilot will not include it in responses unless the user has permission. To enforce this, go to Microsoft 365 admin center > Copilot > Data sources. Under Sensitivity labels, select the labels that should block Copilot access. - Run a Data Protection Impact Assessment
Microsoft provides a DPIA template for Copilot in the Microsoft 365 admin center. Go to Settings > Org settings > Security & privacy > Data Protection Impact Assessment. Download the template, fill in your processing activities, and store the completed document for regulatory review.
Common Misconceptions and Limitations
Several misconceptions about Copilot and GDPR compliance can lead to compliance gaps.
Copilot Does Not Store Personal Data Indefinitely
Some customers worry that Copilot retains personal data from prompts and responses. Copilot does not store the content of prompts or responses beyond the session. The audit log retains metadata such as user ID, timestamp, and query length, but not the full text. If you need full-text retention for DSAR purposes, enable extended audit logging in Microsoft Purview, which stores the full prompt and response for up to 90 days.
Copilot Does Not Train Its Model on Your Data
Microsoft states that Copilot does not use your organization’s data to train the underlying large language model. The model is trained on publicly available data and Microsoft’s own datasets. Your data is processed only to generate responses in real time and is not stored for model improvement. This is a critical point for GDPR Article 22 compliance regarding automated decision-making.
Third-Party Plugins Require Separate Data Processing Agreements
If you enable third-party plugins in Copilot, those plugins may process personal data outside the Microsoft compliance boundary. For example, a plugin that connects to a CRM system could send user data to that third-party service. Before enabling any plugin, verify that the third party has a signed Data Processing Agreement and that the plugin processes data within the EU if required.
Copilot GDPR Compliance: Key Features Compared
| Item | Copilot with Microsoft 365 E5 | Copilot with Microsoft 365 Business Premium |
|---|---|---|
| Data processing boundary | EU Data Boundary available | EU Data Boundary available |
| Audit logging for Copilot | Extended audit logging included | Standard audit logging included |
| eDiscovery for DSAR | Full eDiscovery support | Limited to content search |
| Data retention policies | Custom retention policies supported | Custom retention policies supported |
| Sensitivity label enforcement | Works with all sensitivity labels | Works with all sensitivity labels |
Microsoft Copilot inherits the GDPR compliance commitments of Microsoft 365, but administrators must actively configure settings to maintain compliance. Verify your tenant’s data processing boundary, enable audit logging, and restrict Copilot access to sensitive data through sensitivity labels. For data subject access requests, use eDiscovery to search and export Copilot interactions. Review third-party plugins carefully and ensure they have signed Data Processing Agreements. By following these steps, your organization can use Copilot while meeting GDPR obligations under Articles 5, 28, and 32.