While Microsoft Copilot comes with tools to generate content, you still need to clean it and review your data security policies. Fortunately, Microsoft has a tool to help with that, too.
If you’re an IT professional, you may have breathed a sigh of relief when you learned that Microsoft Copilot would replicate the permissions already in place for your Microsoft apps. Not only that, but Microsoft has also assured us that:
- It will not use employees’ data to train its AI models.
- All prompts, responses and data stay within the Microsoft environment.
- Copilot’s search feature does not go outside the Microsoft tenant.
Given those safeguards, you might think that Microsoft has done the heavy lifting for you when it comes to data governance and data security. But here’s the kicker: AI is a whole new world. It requires you to pay even more attention — not less — to good data governance practices and data security.
In the first blog in our Get Ready for Copilot series, we covered the essential steps to take when selecting the copilots that match your business strategy, identifying employees who will benefit the most from the tool, and thinking about both upfront and long-term costs. Once you’ve taken those steps, you must start thinking about your technical readiness to optimize your data for Copilot and keep it safe.
The Data Security and Data Policy Compliance Review
While most people think of bad actors when they hear the words “data security,” Microsoft Copilot introduces the possibility that your data could be exposed by well-meaning employees who are just doing their jobs as they always have. For example, imagine that an HR representative has stored salary reviews for the last year in a public human resources Microsoft Teams channel.
After the HR rep leaves the firm, a new hire joins the public Teams channel. Curious about their earning potential at the company, the new hire asks Copilot, “What should I expect for a salary raise my first year?” To prepare its response, Copilot accesses the public Teams channel and draws on data from the unsecured salary reviews.
The awesome thing about Microsoft 365 (M365) is that many tools to prevent such errors are already built in. A review of your Microsoft Teams privacy settings would have saved the day in our HR Teams example. Other M365 apps (SharePoint, OneDrive, and so on) have guest privilege features that are easy to toggle on or off.
The bad news is that many of these tools did not exist in our historical, on-premises environments. Employees need to know that they are available and how to use them. Unless your organization has been forward-thinking in implementing the tools, the learning and adoption curve can be steep.
To address security and compliance at a deeper level, you must also review your policies that govern issues like conditional access, the use of sensitivity labels on data, data loss prevention, and data retention. Once you have taken these steps, you’ll be better prepared to address enemy number one: data ROT.
Root Out Data ROT with a Data Hygiene Technical Checklist
ROT stands for redundant, obsolete and trivial data. If you have an abundance of data ROT, you are at risk of not getting the best from Microsoft Copilot and opening your data to breaches, whether at the hands of bad actors or your dedicated employees.
- Redundant data simply means multiple copies of the same file.
- When data is outdated, those multiple versions may be from different times or located in different places.
- Trivial files are no longer needed or useful — they just take up space and get in the way.
As an example of two aspects of ROT, redundant and outdated, in my attic I once had three copies of the book “Networking for Dummies.” The book dates from 1999 and is 300 pages long. My son is getting interested in computing and networking, and one day, he had a question about wiring and plugs. I remembered I had those books in the attic, so I tromped upstairs and rummaged through memory lane until I found the books. I grabbed them and came down the stairs, proud of my decision to store the books away “just in case.”
Meanwhile, my son had already found the wiring scheme on the internet and was fast at work. My multiple copies of the same heavy book were redundant and also outdated, both in content and format. Needless to say, I don’t have those books anymore.
ROT waters down search and generative AI responses. For example, suppose you have your current Excel price sheet, but you also have a price sheet for the last 20 years stored. Accidentally, an old version of the price sheet is modified, making it the “most recent” file.
Now, when you ask Copilot for the price changes for a product over the last three years, it does not know what the most authoritative content is, and it could generate responses with the wrong data points. Without enforced data governance around such unstructured files, the chances of such errors and AI “hallucinations” rise. As a result, users will lose trust in the tools.
Microsoft Purview: Your ROT-fighting Tool
The number of clients I meet who do not have at least a retention policy on users’ OneDrive data is staggering — but it’s understandable. Historically, retention policies had only been enforced with paper documents implemented by humans. Fortunately, Copilot’s creators anticipated the challenges of data retention and data ROT when they created Microsoft Purview.
Purview applies your retention policies automatically to all M365 services (OneDrive, Exchange, SharePoint, and more), as well as to specific sites or users. Purview can calculate the age of content based on a number of factors, such as last-modified date, creation date, or compliance-defined events, such as a fiscal year or large project close dates.
During the designated period, data can either be protected or deletable. If the data is protected, a copy is stored and hidden away, protecting it even if a user deletes the file. Only privileged accounts can access these hidden copies, and they are discoverable by Microsoft eDiscovery tools. However, the hidden copies are automatically destroyed once the defined retention period has expired.
But what about the original files? Purview gives you several options for what happens once the retention period ends. You can set your data either to be deleted, to trigger a review for approval of action, or to trigger a custom process that you’ve defined in Power Automate. Most IT administrators use these policies for auto clean-up. Much like those robot vacuum cleaners, they do the work for you.
Tailor Purview for Your Company’s Needs
As you consider Microsoft Purview, you should keep in mind that automated retention policies may frighten employees. No one wants to log on only to find a file they need was deleted overnight. But take note: You have room for customization.
For example, one of my clients deployed a Microsoft Purview retention policy on all users’ OneDrive accounts. The policy deleted files three years after their last modified date and automatically placed them into the user’s OneDrive recycle bin. If a file was in use and updated, the policy restarted the three-year countdown.
My team and I deployed a solution that allowed users to override the three-year delete policy using a series of document retention labels. The labels gave users the ability to tag files or folders they wanted to keep for either five or seven years. Could a user tag all their data? Yes, but we decided to trust that users would follow corporate retention policies and destroy data on the defined schedules. Our solution allowed the client to restore trust while putting a retention policy in place that caused as little disruption and extra work as possible.
Using a data hygiene technical checklist and implementing basic retention policies should be at the top of your list as you prepare for Microsoft Copilot. After all, AI systems like Copilot are only as good and as safe as the data that feeds them. With Microsoft Purview, enforcement of your policies can be automated and even adjusted to meet your business needs.
In our next blog, we’ll consider how you can prepare your employees for the changes ahead, such as document retention policies and more automated tools.
Until then, roll up your virtual sleeves and get ready for some spring cleaning.