How are you handling GDPR documentation when new Copilot features roll out without warning?
We rolled out Microsoft 365 Copilot Chat (stand alone version) over a year ago. Since then new features keep appearing, Outlook integration, meeting summaries, Glance Cards, and nobody formally assessed the GDPR implications of each one.
We have a DPA with Microsoft but I'm not confident it covers the Bing web grounding exception, or that most people realise Anthropic models are explicitly excluded from the EU Data Boundary?
Curious how others are handling this. Do you do a fresh DPIA for each new feature rollout? Do you have a standing AI policy that covers it? Or are most orgs just hoping for the best?
Would also be interested if anyone has put together decent documentation for this. Everything I've found online is either too generic, not AI specific, or written for lawyers, not for the person actually doing the work.