Professional Documents
Culture Documents
It is highly likely that if you play in the Information Technology space you either use or may provide services to Microsoft.
Alternatively, if you have an opportunity to become a Supplier to Microsoft Corporation then you will need to establish a
Security and Data Privacy baseline.
Data types across Microsoft are extensive and the program has
been developed to accommodate all data use cases, whilst taking
into account global regulations, companies across all industry types,
and suppliers of all various sizes from small startups to multi-
conglomerates. No mean feat
Applicability
Whether you are well into your Governance, Risk and Compliance (GRC)
journey or maturing enough that clients are asking for some level of
assurance, the SSPA program can be leveraged to establish a strong
baseline. The key to any supplier compliance program is defining what
information is needed and being collected. Microsoft’s SSPA requires you
to establish your “Applicability” and then have it independently assessed
against their Data Protection Requirements (DPR). Connor is well versed in
the nuances of determining whether a DPR requirement will apply to your
service and can get you setup correctly.
Disclosures to
Notice Third Parties
MSFT
Choice and
Consent Data Protection Quality
Requirements
Monitoring and
Collection Enforcement
Retention Security
Additionally, Microsoft categorizes your organization via an SSPA Data Processing Profile which is self-managed via the Aravo
Supplier Portal. Navigating this portal can be challenging but it is important to track your status; Active Green (compliant) vs
Suspended Red (non-compliant) and to comply with tasks that are issued with a 90-day compliance deadline.
One of the first steps in your Microsoft Supplier Security and Privacy Assurance (SSPA) journey is to correctly submit your Data
Protection Requirements (DPR) “SSPA Applicability” self-assessment. This sets the stage for the requirements and the level
of testing you will go through via an independent auditor. It is very important to get “SSPA Applicability” right, for a smooth,
efficient audit. Getting it wrong can lead to hours of re-work and unnecessary back and forth with your Microsoft buyer and
vendor management team at SSPAhelp@microsoft.com or SSPAsupport@microsoft.com.
Applicability
It is essential to align your “SSPA Applicability” profile with the service you are providing to Microsoft. Specifically, applicability
relates to the type or types of data being processed, transmitted or exchanged.
• Microsoft Device Pre-Release Marketing Information • Develop or Test Microsoft Internal Line of Business
Note the data types listed above are examples and not an exhaustive list.
Then taking into account the various mediums the data is being collected, processed, possibly shared with third-party
subcontractors, and most importantly, the “intended” use of the data as described in your Microsoft contract, can make the
self-assessment daunting. Additionally, Microsoft sets its own back office profile of your organization based on the
language of any active Master Service Agreement (MSA), Statement of Work (SOW) or Purchase Order (PO). We have seen
some instances where the back-office understanding, per the SOW, diverges from the actual data handling of the Microsoft
supplier. Alignment early in the SSPA process is key to save effort, time and cost.
There are many ways to send a Self-Assessment down a long, windy road, but with guidance from the experts at Connor, the
organization can get on the right, and efficient, path. We are happy to walk you through the DPR self-assessment at whatever
stage of submission you are in. We have experts in e-commerce platforms, client registration applications, webpages and the
use of third-party subcontractors. Let us guide you in establishing your applicability correctly for a smooth and more efficient
process
At Connor, our mission is to help our customers remove the barriers to innovation. With our expert support, you can bolster
your organization’s Security and Data Privacy baseline, meet compliance requirements with Microsoft’s SSPA program, and
ensure you remain in good standing with your customers. To learn more about our Microsoft services and approach, visit our
website here.