Event banner
Event details
Quick question from the recent Purview AI webinar: If Purview captures individual user prompts and responses for monitoring, how does this comply with GDPR?
Seems like a potential conflict between AI governance needs and data privacy requirements - especially regarding consent and data minimization.
Are there specific configurations or best practices to handle this properly under European data protection law?
Thanks!
- JeremyChapmanMSFT
Microsoft
In this case, is the user is logged in to a company-managed device. In order to access company resources, they have also set up a work user profile in the browser and are logged in in the context of their Microsoft 365 work account.
Casey SpillerPrompts and responses are stored in Teams and in the substrate, DSPM for AI displays that data.
Depending on the need, you can use eDiscovery+Graph to delete this information if it pertains to data removal, or alternatively you could use auto retention to delete information ongoing based on a specific data classifier.
Search for and delete Copilot data in eDiscovery | Microsoft Learn
Automatically apply a retention label to Microsoft 365 items | Microsoft Learn- Ben_Summers
Like every Microsoft product, Purview has undergone extensive compliance and privacy reviews - to help use ensure that we can meet the legal and regulatory commitments we make to customers regarding GDPR, EUDB compliance, etc. Because we don't give legal advice, we'd strongly encourage you to work with your own legal counsel to discuss concerns about potential conflicts between privacy and abuse/misuse monitoring to determine what's right for your organization.
