What Copilot can actually do in a tax firm
Copilot summarizes a 40-page client file in two minutes. It searches all firm documents for a specific tax regulation. It drafts a response to a tax authority inquiry. It generates meeting notes from Teams recordings. It analyzes financial spreadsheets and spots patterns.
For a tax firm with 15 employees, these are real productivity gains. Not theoretical. Not in a Microsoft demo. In daily work.
But every one of those actions touches client data. And client data at German tax advisory firms (Steuerberater) is protected by criminal law. Not just data protection regulation. Criminal law.
Why Section 203 of the German Criminal Code changes everything
German tax advisors are classified as holders of professional secrets (Berufsgeheimnisträger). Section 203 of the German Criminal Code protects professional secrecy with up to one year of imprisonment. This is not an administrative fine. This is not a GDPR penalty. This is criminal liability.
“Disclosure” under the law doesn’t require someone to actively read the data. It’s enough that an unauthorized third party gains technical access. When Copilot processes client data, that data must stay within authorized access boundaries. No employee should be able to reach data through Copilot that they’re not authorized to see.
The 2017 reform introduced Section 203(3), allowing professionals to share data with “other contributors” (sonstige Mitwirkende). But the conditions are strict:
- Contractual confidentiality obligation explicitly referencing Section 203
- Briefing on criminal consequences
- Documented necessity of the data processing
- Ongoing oversight of compliance
Microsoft offers a “Professional Secrecy Addendum” for M365 that addresses these requirements. That helps. But the contract alone doesn’t solve the problem. The technical configuration has to enforce the boundaries.
The real risk: cross-client access
The issue isn’t primarily that Microsoft sees the data. Microsoft processes data in the EU region (if configured correctly) and has contractual foundations for Section 203. The issue is inside the firm.
Tax firms work with dozens of clients simultaneously. When an employee asks Copilot “summarize the latest correspondence about the tax audit,” Copilot searches everything that employee can access. In a firm with flat SharePoint permissions, that can include files from clients the employee isn’t working on at all.
That’s an oversharing problem. And for holders of professional secrets, a permissions problem quickly becomes a criminal liability problem.
I’ve seen SharePoint environments at tax firms where every employee had read access to every client folder. That worked for years because nobody actively searched through other people’s client files. Copilot searches actively. That’s its job.
SharePoint architecture for a tax firm
The SharePoint structure determines whether Copilot can operate compliantly or not. A firm that stores everything in a single SharePoint site has no technical basis for client separation.
The minimum requirement: separate SharePoint sites per client. Or at least per client group, if the firm handles many small engagements. Each site has its own members. Only the employees working on a client engagement have access to the corresponding site.
This sounds like a lot of effort. In practice, it’s a one-time configuration that can be managed efficiently with M365 groups. A new employee gets added to the relevant client group. When they hand off the engagement, they get removed. No employee has default access to all clients.
For firm leadership there’s an exception: partners or firm owners typically need cross-client access. That’s permissible as long as it’s documented and justified. But the associate who exclusively handles Client A doesn’t need access to Client B’s files.
Sensitivity Labels: the second layer
SharePoint permissions are the foundation. Sensitivity Labels are the second layer. Together they define what Copilot can see and process.
For a tax firm, I recommend four tiers:
Tier 1: Strictly Confidential, Client. Encryption active, no external access, only assigned employees can access. Copilot can only process these documents if the requesting user has explicit access. For particularly sensitive matters (criminal proceedings, insolvency advisory), Copilot access can be blocked entirely.
Tier 2: Confidential, Firm. Internal documents with client reference. Copilot search is restricted to the client context. No cross-client access.
Tier 3: Internal. General firm documents without client reference. Templates, internal policies, training materials. Copilot has unrestricted access.
Tier 4: General. Public information. Marketing materials, website content, general templates.
Auto-labeling for client data
Labels only work if they’re actually applied. Manual labeling is error-prone. No employee remembers to set a label on every document.
Auto-labeling rules catch the most important cases:
- Documents containing tax identification numbers get “Confidential, Firm” automatically
- Documents with client reference numbers get “Confidential, Firm”
- Documents in client-specific SharePoint sites inherit the site label
- Emails with tax assessments or tax authority correspondence get “Confidential, Firm”
This doesn’t replace manual classification. But it ensures new documents don’t land in SharePoint without a label, where Copilot can search them without any restrictions.
DLP policies: the third layer
Data Loss Prevention stops client data from leaving the firm. This matters more with Copilot than without. When an employee asks Copilot to draft an email to a client, Copilot might pull in information from other client files the employee technically has access to.
DLP rules for a tax firm:
- Documents labeled “Strictly Confidential” cannot be shared externally
- Emails containing tax IDs or bank account numbers to external recipients trigger a warning
- Copilot-generated drafts containing data labeled “Confidential” get flagged
The DLP configuration isn’t technically difficult. But it needs to be active before the Copilot rollout, not after.
What must be done before activating Copilot
I keep seeing the same pattern: Copilot licenses get purchased, the pilot group starts, and the security configuration is scheduled for “later.” For a regular company, that’s risky. For a tax firm handling client data under Section 203, it’s negligent.
The sequence that works:
1. Data Protection Impact Assessment (DPIA). Required when processing client data with AI. Documents the risks and the measures against them. Without a DPIA, there’s no foundation for anything else.
2. SharePoint permissions audit. Who can access which client files? Where are there “Everyone” shares? Where do employees have access to clients they don’t work on? This is the most time-consuming step, but also the most important.
3. Configure Sensitivity Labels. Set up the four tiers, activate auto-labeling rules, classify existing documents. Microsoft Purview provides the tools. The configuration is firm-specific.
4. Activate DLP policies. Rules for external sharing, email sending, and Copilot-generated content.
5. Employee training. No Copilot without training. Employees need to understand which data they can input into Copilot, how labels work, and what to do when Copilot surfaces information from the wrong client file. This isn’t a one-hour presentation. It’s a hands-on walkthrough at the workstation.
6. Acceptable use policy. Documented rules for AI use in the firm. What can Copilot do? What can’t it do? Who is responsible? What happens when someone violates the policy?
Only when all six items are checked off should Copilot go live.
Copilot is the tool, not the problem
I say this in every client conversation: Copilot is a good tool. It can deliver real productivity gains for a tax firm. But it works with what it finds. If permissions are messy, Copilot delivers messy results. If labels are missing, Copilot can’t distinguish between what’s confidential and what’s not.
The configuration is on the firm. Microsoft provides the tools. The responsibility for compliant use stays with you.
Next step
The Copilot Compliance Audit and compliant deployment service covers exactly these steps. I review your SharePoint structure, configure Sensitivity Labels and DLP policies, and make sure Copilot in your firm complies with Section 203 and GDPR.
Book a 30-minute intro call. No sales pitch. Just an honest assessment of where your environment stands and what needs to happen before a Copilot rollout.
Jose Lugo is a CISSP-certified AI compliance consultant with M365 Endpoint Administrator certification. He configures SharePoint permissions, Sensitivity Labels, and DLP policies for tax advisory firms and regulated companies in Germany.