Data Governance News: Updates for Small Businesses

Data governance is moving fast. Microsoft is tightening SharePoint storage policies, AI tools like Copilot are exposing data oversharing risks, and regulators worldwide are introducing new frameworks for AI governance and data management.

This page tracks the developments that matter for businesses managing their data. Updated regularly with Microsoft 365 policy changes, AI governance requirements, storage management updates, and regulatory shifts that affect how your organisation handles its information.

Bookmark this page. When Microsoft changes a policy or a new AI regulation takes effect, check here first.

---

March 2026

Australia: 100,000+ small businesses lose privacy exemption from July

Australia's privacy reforms will strip the small business exemption from businesses in newly regulated industries starting 1 July 2026. Lawyers, accountants, real estate agents, conveyancers, and dealers in high-value goods will be required to comply with the Privacy Act for the first time, regardless of revenue. Previously, businesses with annual turnover under $3 million were exempt.

This is the most significant expansion of privacy obligations for small businesses in Australia's history. Affected businesses will need to meet the same data handling, breach notification, and individual rights requirements as larger organisations — including responding to access requests and maintaining records of personal information handling.

What to do: If your business falls into one of the newly regulated categories, start preparing now. At minimum: conduct a data inventory, draft a privacy policy, establish a process for handling access requests, and train staff on the basics. The OAIC is expected to publish guidance for newly covered businesses before the July deadline.

Microsoft releases Copilot Responsibility Framework

On 18 March 2026, Microsoft published the Copilot Responsibility Framework — a governance model for organisations deploying Copilot in regulated or security-conscious environments. The framework introduces mandatory audit trails for all Copilot interactions, configurable content filtering at the organisation level, and integration with existing compliance management systems in Microsoft Purview.

For small businesses already using Copilot, this is a significant step toward enterprise-grade governance controls becoming available at lower license tiers. The audit trail capability alone addresses one of the biggest governance gaps: knowing what Copilot accessed and generated.

What to do: Review the framework in the Microsoft 365 admin center. If Copilot is deployed, enable the audit trail and configure content filtering policies. If Copilot is planned but not yet deployed, use this as the governance checklist before rollout — see data governance before AI for the full pre-deployment guide.

SharePoint sharing links now support automatic expiration

Microsoft rolled out the ability to set organisation-wide expiration policies for "People in your organisation" sharing links in SharePoint. Administrators can now configure a maximum lifespan for internal sharing links, after which access is automatically revoked.

Previously, internal sharing links in SharePoint lived forever — anyone with the link retained access indefinitely. This was one of the biggest sources of permission sprawl and a core reason permissions audits consistently find over-shared content.

What to do: Set an expiration policy in the SharePoint admin center. A 90-day default is a reasonable starting point for most businesses — long enough for active collaboration, short enough to limit lingering access.

EDPB launches 2026 coordinated enforcement on transparency

The European Data Protection Board announced its 2026 Coordinated Enforcement Framework (CEF) action, with 25 Data Protection Authorities across Europe jointly assessing compliance with GDPR transparency obligations under Articles 12 to 14. This follows previous coordinated actions on the right of access (2024) and the role of data protection officers (2023).

The focus on transparency means regulators will be scrutinising privacy notices, information provided at the point of data collection, and how clearly organisations communicate their data practices. For businesses serving EU customers — including those in the UK, Ireland, and other English-speaking jurisdictions — unclear or outdated privacy notices are now a higher enforcement priority.

What to do: Review privacy notices and data collection forms. Ensure they clearly state what data is collected, why, how long it is kept, and who to contact. If the privacy policy has not been updated since 2018, it is overdue.

---

February 2026

Microsoft retires standalone SharePoint and OneDrive plans

Microsoft announced it will retire standalone SharePoint Online Plan 1 and Plan 2, and OneDrive for Business Plan 1 and Plan 2 licenses. Sales cease on 31 May 2026, with no contract renewals after January 2027. Service continues until December 2029.

This pushes all customers toward Microsoft 365 suite licenses — which include more storage but at higher per-user costs. For small businesses currently on standalone SharePoint plans, this is a forced migration that requires planning.

What to do: Review your current SharePoint and OneDrive licensing. If you are on standalone plans, start evaluating Microsoft 365 Business Basic ($6/user/month) or Business Standard ($12.50/user/month) as replacements. Factor in total cost of ownership including the additional services bundled in suite licenses.

NIST launches AI Agent Standards Initiative

In February 2026, NIST officially released the AI Agent Standards Initiative, marking the beginning of standardisation work for AI agents — systems that can take autonomous actions on behalf of users. This builds on the NIST AI Risk Management Framework (AI RMF 1.0) and the Generative AI Profile (AI 600-1) released in 2024.

For businesses deploying AI tools like Microsoft Copilot or third-party AI agents, these emerging standards will shape future compliance expectations. Data governance foundations — knowing where your data is, who can access it, and how it is classified — are prerequisites for any AI agent deployment.

What to do: Review the NIST AI RMF 1.0 and consider how your data governance practices align with its risk management principles. Organisations with strong data governance will be better positioned when formal AI agent standards arrive.

---

December 2025

Trump signs AI executive order targeting state AI laws

On 11 December 2025, President Trump signed an executive order titled "Ensuring a National Policy Framework for Artificial Intelligence." The order directs the Department of Justice to establish an AI Litigation Task Force to challenge state AI laws deemed inconsistent with federal policy, and threatens federal funding restrictions for states with "onerous" AI regulations.

This creates uncertainty for businesses navigating the growing patchwork of state-level AI laws. While the order aims to simplify compliance by establishing a uniform federal framework, the transition period may produce conflicting requirements as state and federal policies are reconciled.

What to do: Track which state AI laws may be affected by federal preemption. If your organisation operates across multiple US states, a unified approach to AI governance is increasingly important.

---

November 2025

Microsoft Ignite 2025: Copilot governance and security updates

At Ignite 2025, Microsoft announced expanded security and governance tools for Microsoft 365 Copilot. Key updates include Microsoft Purview Data Loss Prevention (DLP) for Copilot reaching general availability — blocking Copilot from processing files and emails with specific sensitivity labels — and expanded data risk assessments with item-level investigation and bulk remediation of overshared links.

These tools address the oversharing problem that Copilot has made impossible to ignore. Research shows 16% of business-critical data is overshared on average, totalling approximately 802,000 files per organisation at risk. When Copilot can surface any content a user has access to, broadly shared files become a liability.

What to do: If you use Microsoft 365 Copilot, enable Purview DLP policies to restrict Copilot's access to sensitive content. Run a data risk assessment from the Microsoft 365 admin centre to identify overshared files and sites.

Microsoft 365 Archive eliminates reactivation fees

Microsoft eliminated reactivation fees for Microsoft 365 Archive content effective 31 March 2025, making it cheaper to move inactive SharePoint content to cold storage and bring it back when needed. Archive storage costs up to 75% less than standard SharePoint storage ($0.05/GB/month versus the $0.20/GB/month overage rate).

For organisations hitting SharePoint storage limits, Archive provides a way to reduce costs without deleting data. File-level archiving — allowing individual documents to be archived without taking entire sites offline — is expected in preview by March 2026 and GA by July 2026.

What to do: Identify inactive SharePoint sites consuming storage. Move them to Microsoft 365 Archive to free up pooled storage and avoid the $0.20/GB/month overage charges. Each Microsoft 365 tenant gets 1 TB plus 10 GB per licensed user of pooled SharePoint storage — anything above that costs real money.

---

August 2025

EU AI Act: General-purpose AI obligations take effect

The EU AI Act's obligations for general-purpose AI (GPAI) models took effect on 2 August 2025. Providers of GPAI models must now comply with transparency requirements including maintaining technical documentation, publishing content usage policies, and implementing copyright compliance measures.

The next major milestone is 2 August 2026, when obligations for high-risk AI systems in Annex III and transparency rules under Article 50 come into force. Penalties for non-compliance are significant: up to €35 million or 7% of worldwide turnover for prohibited practices.

What to do: If your organisation develops or deploys AI systems that serve EU users, review the EU AI Act risk classification. Most businesses using off-the-shelf AI tools like Copilot are deployers rather than providers, but deployers of high-risk AI systems will have their own obligations from August 2026.

---

Late 2024 — Early 2025

Trump rescinds Biden AI executive order

On 20 January 2025, President Trump rescinded Executive Order 14110 — Biden's "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence" order from October 2023. Three days later, he signed Executive Order 14179, "Removing Barriers to American Leadership in Artificial Intelligence," signalling a shift from oversight and risk mitigation toward deregulation and innovation promotion.

For businesses, this means less federal guidance on AI risk management but potentially fewer compliance obligations at the federal level. State-level AI laws continue to develop independently, and the EU AI Act applies regardless of US federal policy.

SharePoint Advanced Management bundled with Copilot licenses

From January 2025, Microsoft began bundling SharePoint Advanced Management (SAM) features with Microsoft 365 Copilot licenses. SAM provides data access governance reports, site access reviews, and oversharing detection — tools that help organisations identify and remediate the data governance gaps that Copilot makes visible.

Previously a separate add-on, SAM's inclusion with Copilot licenses reflects Microsoft's acknowledgement that AI readiness requires better data governance. Site access reviews allow administrators to delegate the review of overshared sites to site owners directly.

What to do: If you have Copilot licenses, enable SharePoint Advanced Management and run data access governance reports. These reports identify sites with broadly shared content — the same content Copilot can surface to any user with access.

EU AI Act: Prohibited AI practices take effect

The first binding obligations under the EU AI Act took effect on 2 February 2025, prohibiting AI systems that pose unacceptable risks. These include AI systems that use subliminal manipulation techniques, exploit vulnerabilities of specific groups, enable social scoring by public authorities, and deploy real-time biometric identification in public spaces (with limited exceptions).

While most small businesses are unlikely to deploy prohibited AI systems, the broader message is clear: AI governance is becoming a regulatory requirement, not a best practice.

---