The road ahead
NTNU has chosen not to introduce M365 Copilot throughout the entire organisation, but instead introduce the tool in small and controlled steps, limited initially to selected roles.
As M365 Copilot requires its own licenses, increased costs must be justifiable through actual, realisable gains, and it is important that both direct and indirect costs are included in the overall assessment. M365 Copilot is still in the early stages of development and does not provide control at a granular level, such as the ability to make local and flexible adaptations (e.g. disabling access to users’ mailboxes or specific deletion policies). Microsoft probably considers unlimited access to the user’s mailbox as an important and central feature, but it is perhaps one of the features that gives rise to the most uncertainty among many organisations.
The Norwegian Data Protection Authority expects the issues that customers, organisations, authorities and wider society identify in the product are taken seriously by the product supplier. At the same time, there are clear requirements for organisations that wish to benefit from using the tool. The prerequisite of having an extremely well-functioning information management system may make it difficult to succeed with such solutions, but obviously has a positive upside that goes far beyond the implementation of one specific solution.
NTNU has done an impressive, socially beneficial and extensive job of acquiring knowledge and awareness of the use of large language models in general and integrated AI solutions such as M365 Copilot in particular. However, if NTNU wishes to expand its use of M365 Copilot, it is important that the necessary data protection impact assessments are carried out for specific processing operations in light of given use cases.