1A Guide to Understanding Microsoft’s SSPA Applicability and DPR

A GUIDE TO UNDERSTANDING MICROSOFT’S SSPA APPLICABILITY AND DPRA Detailed Guide to Navigating SAPs Digital Access Licensing Model

1A Guide to Understanding Microsoft’s SSPA Applicability and DPR

TABLE OF CONTENTS

Understanding Microsoft’s SSPA Applicability and DPR 2

Microsoft’s SSPA DPR Self-Assessment – Consult First 4

2A Guide to Understanding Microsoft’s SSPA Applicability and DPR

Understanding Microsoft’s SSPA Applicability and DPR

It is highly likely that if you play in the Information Technology space you either use or may provide services to Microsoft. Alternatively, if you have an opportunity to become a Supplier to Microsoft Corporation then you will need to establish a Security and Data Privacy baseline.

Scope – Data involved

Microsoft’s in-house developed Supplier Security and Privacy Assurance (SSPA) program is an annual requirement once you become an active Microsoft supplier. The scope of the SSPA covers all suppliers globally that process Personal Data and/or Microsoft Confidential Data in connection with any active Master Service Agreement (MSA), Statement of Work (SOW) or Purchase Order (PO).

Data types across Microsoft are extensive and the program has been developed to accommodate all data use cases, whilst taking into account global regulations, companies across all industry types, and suppliers of all various sizes from small startups to multi-conglomerates. No mean feat

Applicability

Whether you are well into your Governance, Risk and Compliance (GRC) journey or maturing enough that clients are asking for some level of assurance, the SSPA program can be leveraged to establish a strong baseline. The key to any supplier compliance program is defining what information is needed and being collected. Microsoft’s SSPA requires you to establish your “Applicability” and then have it independently assessed against their Data Protection Requirements (DPR). Connor is well versed in the nuances of determining whether a DPR requirement will apply to your service and can get you setup correctly.

3A Guide to Understanding Microsoft’s SSPA Applicability and DPR

Management

Notice

Choice andConsent

Collection

Retention

Data Subjects

Disclosures to Third Parties

Quality

Monitoring andEnforcement

Security

MSFT Data Protection Requirements

Data Protection Requirements

The DPR is made up of 10 categories that follow a Data Governance lifecycle model. It is very similar to the Gramm-Leach-Bliley Act (GLB Act or GLBA) and has elements of the EU:GDPR requirements but most importantly has Microsoft MSA contractual terms and conditions woven in.

At a high level the principles are:• Microsoft Data can only be used in accordance with or as intended via an active and approved MSA

• Microsoft employees or Microsoft affiliates must be notified of data sharing between financial institutions and third parties and must have the ability to opt in/out of private information sharing

• Data Subject Rights must be established and actionable in a timely manner

• Microsoft Data must be secured against unauthorized access

• User activity must be tracked, including any attempts to access protected records

• Suppliers must have an incident response plan and both Security and Data Privacy training

You can see the 10 Categories listed in the diagram below.

Additionally, Microsoft categorizes your organization via an SSPA Data Processing Profile which is self-managed via the Aravo Supplier Portal. Navigating this portal can be challenging but it is important to track your status; Active Green (compliant) vs Suspended Red (non-compliant) and to comply with tasks that are issued with a 90-day compliance deadline.

4A Guide to Understanding Microsoft’s SSPA Applicability and DPR

Microsoft’s SSPA DPR Self-Assessment – Consult First

One of the first steps in your Microsoft Supplier Security and Privacy Assurance (SSPA) journey is to correctly submit your Data Protection Requirements (DPR) “SSPA Applicability” self-assessment. This sets the stage for the requirements and the level of testing you will go through via an independent auditor. It is very important to get “SSPA Applicability” right, for a smooth, efficient audit. Getting it wrong can lead to hours of re-work and unnecessary back and forth with your Microsoft buyer and vendor management team at SSPAhelp@microsoft.com or SSPAsupport@microsoft.com.

Applicability

It is essential to align your “SSPA Applicability” profile with the service you are providing to Microsoft. Specifically, applicability relates to the type or types of data being processed, transmitted or exchanged.

Personal Data Examples

Microsoft Confidential/Highly Confidential Data

• Microsoft Product Data Components

• Microsoft Device Pre-Release Marketing Information

• Unannounced Microsoft Corporate Data

• Microsoft Product License Keys

• Develop or Test Microsoft Internal Line of Business

Sensitive Data

Customer Content Data

Capture and Generate Data

Account Data

Note the data types listed above are examples and not an exhaustive list.

Then taking into account the various mediums the data is being collected, processed, possibly shared with third-party subcontractors, and most importantly, the “intended” use of the data as described in your Microsoft contract, can make the self-assessment daunting.  Additionally, Microsoft sets its own back office profile of your organization based on the language of any active Master Service Agreement (MSA), Statement of Work (SOW) or Purchase Order (PO). We have seen some instances where the back-office understanding, per the SOW, diverges from the actual data handling of the Microsoft supplier.   Alignment early in the SSPA process is key to save effort, time and cost.

5A Guide to Understanding Microsoft’s SSPA Applicability and DPR

Apply Vs Does Not Apply

Another mistake is over or under prescribing your Applicability against the DPR. We often see Suppliers incorrectly complete their DPR self-assessments which immediately sets their organization off on the wrong foot. Some Suppliers want to promote themselves as being “Compliant” in an effort to please Microsoft. They submit as “Compliant” across all DPR questions which then means that all of the DPR criterial will apply to them, which may not be the case. This then creates a high-risk supplier profile on the Microsoft side. To get this profile changed can eat up precious time and resources. To further complicate things, if a Supplier responds to any DPR question as “Does Not Apply”, it is important to provide a concise comment as to why. Also, to under prescribe, may flag your organization to MSFT which potentially will cause re-work of your SSPA assessment.

6A Guide to Understanding Microsoft’s SSPA Applicability and DPR

There are many ways to send a Self-Assessment down a long, windy road, but with guidance from the experts at Connor, the organization can get on the right, and efficient, path. We are happy to walk you through the DPR self-assessment at whatever stage of submission you are in. We have experts in e-commerce platforms, client registration applications, webpages and the use of third-party subcontractors. Let us guide you in establishing your applicability correctly for a smooth and more efficient process

At Connor, our mission is to help our customers remove the barriers to innovation. With our expert support, you can bolster your organization’s Security and Data Privacy baseline, meet compliance requirements with Microsoft’s SSPA program, and ensure you remain in good standing with your customers. To learn more about our Microsoft services and approach, visit our website here.

If you would like to speak with our experts, please contact us at anthony@connor-consulting.com or SSPA@connor-consulting.com

Consult First with Connor

7A Guide to Understanding Microsoft’s SSPA Applicability and DPR

Unparalleled Experience, Inspired Outcomes.