Microsoft Teams, Copilot and GDPR: what businesses should know before switching these features on

Annabel Kaye

June 3, 2026
5 min read

Share this post

n my earlier article on AI transcription tools and GDPR, I looked at how many businesses are switching AI meeting systems on without fully understanding what happens to the data afterwards.

I then reviewed:

using a simple question:

“What can an ordinary business owner realistically work out from the publicly available information before enabling these systems for client meetings?”

This article applies the same practical approach to Microsoft Teams, transcription features and Copilot integrations.

It also links closely with my earlier article on Microsoft Copilot and data privacy, which looks more broadly at AI across the Microsoft ecosystem.

This is not a technical security audit and it is not legal advice.

It is a practical attempt to understand:

what these systems appear to do
what controls appear to exist
what remains unclear
and why that matters if meetings involve sensitive information.

Why we looked at Microsoft Teams and Copilot

Unlike Otter.ai or Fathom, Microsoft Teams is already built into many organisations.

That creates a different type of risk.

Many businesses assume:

“it all stays within Microsoft”
“it stays inside our own systems”
or “Microsoft already handles all the GDPR bits.”

But modern Teams environments may involve:

recordings
transcripts
meeting recaps
Copilot summaries
organisational search
OneDrive
SharePoint
calendar integrations
guest access
file sharing
AI indexing
and wider Microsoft 365 integrations.

That means two businesses both saying:
“We use Teams”
may actually be operating with very different:

storage setups
permissions
retention controls
AI features
and organisational visibility.

The first thing we discovered

With Microsoft, the challenge is not a lack of documentation. It is the sheer amount of it. If Otter.ai was muddy and Fathom was spread around then Microsoft is like wandering through an information jungle with no machete!

Information is spread across:

Teams documentation
Microsoft 365 documentation
SharePoint and OneDrive guidance
Copilot documentation
compliance documentation
admin centre guidance
Purview governance tools
retention policy settings
meeting policy documentation
and licensing information.

That makes it difficult for ordinary businesses to quickly understand:

where meeting data is stored
who can access transcripts
whether transcripts are searchable
how long information is retained
whether Copilot can reference meeting content later
or what controls apply to their organisation’s specific setup.

What we could establish from Microsoft’s published information

Retention controls

Account type	What we found publicly	Why it matters
Standard Teams/Microsoft 365 setups	Retention behaviour appears heavily dependent on organisational settings and Microsoft 365 configuration	Businesses may assume recordings disappear when they do not
Admin-managed environments	Microsoft provides retention policies and compliance tools through Microsoft 365 and Purview	Organisations may have more control if properly configured
Different licensing levels	Some controls and compliance features appear to depend on licensing level	Two businesses using Teams may have very different governance capabilities

Sources:
Microsoft Teams retention documentation
Microsoft Purview retention overview

One recurring issue with Microsoft systems is that many important controls appear to sit at:

organisational level
tenant level
or admin level,

rather than being obvious to ordinary end users.

If you are a small business using teams, it is possible that only the person who set up your IT knows!

AI summaries and searchable transcripts

Question	What we found publicly	Why it matters
Can Teams generate transcripts?	Yes	Conversations may become searchable later
Can meetings generate AI summaries and recaps?	Yes, particularly through Copilot integrations and recap features	This is more than simple recording
Can meeting content become searchable organisational information?	Yes	Sensitive conversations may become easier to retrieve internally

Sources:
Microsoft Teams transcription support
Microsoft Teams meeting recap
Microsoft Copilot overview

This is one of the biggest misunderstandings I see around AI meeting systems.

Many people still think:
“the meeting was recorded.”

In reality, modern Teams environments may also involve:

transcription
indexing
AI summaries
recaps
searchable transcripts
organisational storage
and wider Microsoft 365 integrations.

That creates a very different operational picture from a simple replay recording.

Sharing, downloads and integrations

Question	What we found publicly	Why it matters
Can recordings and transcripts be shared?	Yes	Meeting information may move beyond the original participants
Are recordings connected to OneDrive and SharePoint?	Yes	Meeting information may become part of wider organisational storage
Can Teams integrate with calendars and wider Microsoft systems?	Yes	Meeting information may connect across organisational workflows
Can external participants join meetings?	Yes	Organisations may need to think carefully about guest access and visibility

Sources:
Teams meeting recordings storage information
Microsoft Teams guest access documentation

Again, this does not automatically make the platform inappropriate.

But businesses should understand they may be enabling:

searchable organisational records
AI-generated summaries
wider internal visibility
file storage across Microsoft systems
and long-term retrieval of meeting content.

Storage, processing and consent

Question	What we found publicly	Why it matters
Is meeting information always stored only inside the organisation?	Not necessarily	Storage and access may depend on organisational setup and Microsoft 365 configuration
Can external guests participate in meetings?	Yes	Organisations may need to think carefully about sharing and permissions
Who is responsible for lawful use and consent?	Responsibility remains with the organisation using the platform	Businesses still need to think about transparency and appropriate use

Sources:
Microsoft Teams compliance overview
Microsoft privacy statement

This becomes particularly important where meetings may involve:

medical information
children’s data
safeguarding discussions
family situations
confidential financial discussions
or other sensitive information.

Simply saying:
“This meeting may be recorded” may not always be enough if people do not properly understand that AI summaries, searchable transcripts, recaps, cloud storage or wider organisational access may also be involved.

Questions we could not clearly answer from the public information

At the time of writing, we could not clearly establish from Microsoft’s public-facing information:

exactly which AI/transcription features apply to which licensing levels
how many organisations fully understand their own tenant settings
whether all businesses using Teams have appropriate retention policies configured
how consistently organisations restrict transcript visibility internally
whether all users understand where meeting recordings are ultimately stored
or how many organisations have fully reviewed Copilot access across meeting data.

That does not necessarily mean the controls do not exist.

But it does mean you may struggle to build a clear operational picture before enabling these features.

Our practical concern

As with Otter.ai and Fathom, I would personally be cautious about using transcription, AI summaries or Copilot meeting features for meetings involving: