Progress meets responsibility
Artificial intelligence in a tax firm? At first glance, this may sound like a contradiction. After all, tax advisors work with highly sensitive client data subject to the strictest data protection regulations. Yet, at the same time, the pressure to work more efficiently and optimize day-to-day office operations is growing. Microsoft Copilot promises precisely that: digital support that takes over repetitive tasks, evaluates data, and provides valuable insights. But how can this potential be harnessed without taking data protection risks? The answer lies in the structured use of Microsoft 365 and Microsoft Purview.
Challenges of using Microsoft Copilot in tax offices
Data protection and GDPR compliance
Tax firms face a clear challenge: They manage highly sensitive client data, which, according to Article 28 of the GDPR, may only be processed on the instructions of the controller. However, an AI like Copilot automatically analyzes data, which can make it difficult to control its use. Protecting this data must therefore be a top priority.
Another key issue is the question of where and how Copilot processes the data. Since Microsoft 365 Copilot relies on large language models (LLMs), the legitimate question arises as to which data centers these queries are processed in. This is particularly relevant for tax firms in the European Union (EU), given the strict regulations governing international data transfer.
Furthermore, Copilot's automatic content creation could inadvertently result in sensitive information being aggregated or processed without the intended use case. Properly controlling and limiting this processing is therefore critical to preventing data breaches.
Order processing and obligation to follow instructions
Microsoft Copilot acts as a data processor within Microsoft cloud services. This means that Microsoft processes data on behalf of the law firm. To comply with GDPR requirements, it is necessary to ensure that Copilot only operates within the agreed processing activities and that no unauthorized use takes place. As regulatory requirements for AI are constantly evolving, the question also arises as to whether Microsoft Copilot can meet all data protection and compliance requirements in the long term. Companies need clear commitments regarding the security and long-term adaptability of the solution.
Transparency and loss of control
Another risk is the lack of transparency regarding which data Copilot processes. Unlike a human employee, the AI can independently analyze information, generate suggestions based on these insights, and output them in response to user queries. Without appropriate technical and organizational measures, there is a risk that business-critical or personal data will be processed without control.
Potential solutions with Microsoft Purview for secure use of Copilot
Microsoft is aware of this problem. To address these challenges, Microsoft Purview offers a comprehensive solution platform that helps tax firms deploy Copilot efficiently and in compliance with GDPR. This focuses not only on security, but also on the transparency and controllability of AI-based data usage.
A crucial factor is data control with Data Loss Prevention (DLP) and sensitivity labels . Tax firms must prevent the uncontrolled sharing of sensitive client data. Microsoft Purview DLP makes it possible to analyze and specifically control data movements within the cloud. By defining DLP policies, it can be ensured that personal or tax-relevant information does not enter unwanted channels. Which information receives this special protection can be controlled, among other things, through the use of sensitivity labels. These allow specific documents (e.g., contracts or invoices) and information types (e.g., tax numbers, account details, etc.) to be specially protected, both manually and automatically, and to exclude them from being output by Copilot.
Access control via Microsoft Entra ID complements these protective measures. Not every law firm employee needs full access to Copilot, and not every document should be used by every employee for AI analysis. Purview allows you to define detailed policies that control which users have access to which data. Entra ID also enables additional access security through multi-factor authentication, role-based permissions, and other innovative mechanisms. This ensures that Copilot is restricted to authorized users and trusted work environments.
The permissions model within a Microsoft 365 tenant further complements this, ensuring that data doesn't inadvertently leak between users, groups, or tenants. Copilot only uses the data to which the user has access when making a request – based on the same access control mechanisms used in other Microsoft 365 services. This ensures that your existing Microsoft 365 permissions concept remains in place and is also enforced for Copilot requests.
With the EU Data Boundary , Microsoft has also ensured that the data traffic of European users is always processed within the EU. While Copilot requests from "global users" are primarily processed in the nearest data centers, requests may be forwarded to other regions during periods of high load. However, this does not apply to European users, as special protection measures apply here: Their data traffic remains within the EU borders, while data traffic generated worldwide can also be forwarded to other countries for processing by the language model.
Microsoft is also committed to maintaining its privacy and security commitments over the long term. As AI regulatory requirements evolve, Microsoft Copilot will continuously adapt to new legal requirements. Copilot will remain fully integrated with Microsoft 365 and compliant with existing privacy, security, and compliance standards for business customers.
Despite Microsoft Copilot's high reliability, one important rule remains: human review is essential . No system is perfect, and Microsoft strongly recommends reviewing all content generated by Copilot before use. This not only helps avoid potential errors but also contributes to ensuring the accuracy and safety of AI models. The final decision always remains in human hands—a crucial factor for the responsible use of AI.
Conclusion: Use Copilot safely and GDPR-compliant in the tax office
Microsoft Copilot can significantly increase efficiency in tax firms by automating repetitive tasks, performing analyses, and generating summaries. However, these benefits can only be realized securely if data privacy and client protection are a top priority.
The combination of Microsoft 365 and Purview provides the necessary tools for controlled use of Copilot. Through targeted DLP strategies, intelligent access controls, comprehensive logging, and automated data classification, Copilot becomes a valuable yet secure assistant in everyday law firm operations. Use the opportunities offered by AI consciously and in a controlled manner – this way you can reap the benefits without compromising on security!
