You probably have heard the terms Enterprise Data Protection (EDP) and Commercia Data Protection (CDP) within the framework of Copilot. The distinction between them was not very clear and resulted in a bit of confusion and questions about what the difference is and what it meant to have EDP over CDP.
Microsoft has just improved its documentation about this, in conjunction with their recent announcement that Enterprise Data Protection is on its way to being integrated into Microsoft Copilot for users who sign in using Microsoft Entra (= Microsoft / Office 365 users). This will improve data security, privacy, and compliance when using Microsoft Copilot.
When logged in with a Microsoft Entra account, Microsoft Copilot will provide EDP features: all the security, privacy, and compliance measures previously available solely in Copilot for Microsoft 365 will now extend to all prompts (entered by users) and responses (Copilot generated content) within Microsoft Copilot. With EDP, prompts and responses are protected by the same contractual terms and commitments for customer emails in Exchange and files in SharePoint.
What EDP brings to Microsoft Copilot, when used with Microsoft Entra account:
Your data is secure: Your data is protected with encryption, at rest and in transit, rigorous physical security controls, and data isolation between tenants.
Your data is private: Microsoft won’t use your data except as you instruct. Microsoft commits to privacy, and it includes support for GDPR, ISO/IEC 27018, and the Data Protection Addendum.
Copilot adheres to your established access controls and policies: It upholds your existing identity model and permissions, inherits sensitivity labels, abides by your data retention, audit, eDiscovery, advanced Microsoft Purview capabilities, and conforms to your administrative configurations.
Protection against AI security risks: safeguarded against AI-focused risks such as harmful content and prompt injections.
Your data isn’t used to train foundation models: Just like in Commercial Data Protection, prompts and responses are not used to train foundation models.
In a nutshell comparing Enterprise Data Protection to Commercial Data Protection, EDP adds compliance, governance, access control and policies that extends also to prompts and responses.
Microsoft Copilot for Microsoft 365 runs on the ISO 27018 certified Microsoft 365 platform. Microsoft Copilot will start rolling out to the same platform in the second half of September 2024, for users signed in with a Microsoft Entra account.
Remember that Microsoft Copilot and Copilot for Microsoft 365 are different tools despite the fact that you use them very often from a user interface where you can access both by selecting web or work. You can use Microsoft Copilot via http://www.microsoft.com/copilot, in Microsoft Edge (web browser), the Microsoft 365 app, and on mobile apps.
Microsoft Copilot is used to discover information from the web, and Copilot for Microsoft 365 is the work-tab and discovers information from your work Outlook, SharePoint, OneDrive, Teams, and so on.
If you are using Copilot mobile app with EntraID, you will be redirected to the Microsoft 365 mobile app beginning mid-September.
What about web queries?
When Copilot discovers information from the web, it sends queries to Bing search service. These are treated the same way by both Copilots. Copilot condenses your prompt into key terms, sends them through a secure connection, and disconnects them from your user and tenant identities. Just like before, these queries are not shared with advertisers and are not used to train foundation large language models (LLMs).
Bing’s search operations are separate from Microsoft 365, abiding by different data practices as outlined in the Microsoft Services Agreement and Microsoft Privacy Statement. In this arrangement, Microsoft independently manages data control and adheres to relevant legal and regulatory responsibilities. This method aligns with other optional Bing-based connected experiences.
The following information is not included in the generated query sent to the Bing Search service:
The user’s entire prompt, unless the prompt is short (for example, “local weather”)
Entire files uploaded into Copilot
Entire web pages or PDFs summarized by Copilot in Edge
Any identifying information based on the user’s Microsoft Entra ID (for example, username, domain, or tenant ID)
Conclusion
In today’s digital landscape, data protection is paramount. Microsoft Copilot, when integrated with Enterprise Data Protection (EDP) and a Microsoft Entra account, offers enhanced security, privacy, and compliance measures that are crucial for safeguarding sensitive information.
Key Takeaways:
Enhanced Security: Ensures that your data is protected with encryption, rigorous physical security controls, and data isolation between tenants.
Privacy Commitment: Microsoft commits to privacy, supporting GDPR, ISO/IEC 27018, and the Data Protection Addendum. Your data is used only as you instruct.
Adherence to Policies: Copilot adheres to your established compliance, governance and policies.
Protection Against AI Risks: Safeguards against AI-focused risks such as harmful content and prompt injections.
No Data Usage for Training: Prompts and responses are not used to train foundation models, ensuring your data will stay private.
Information sources and read more:
Published by
I work, blog and speak about Future Work : AI, Microsoft 365, Copilot, Microsoft Mesh, Metaverse, and other services & platforms in the cloud connecting digital and physical and people together.
I have about 30 years of experience in IT business on multiple industries, domains, and roles.
View all posts by Vesa Nopanen
