Back to Resources | Blogs

What is Microsoft DPR? An Overview of Microsoft Data Protection Requirements

September 3, 2025 | Compliance, Privacy

With the consequences and costs of data breaches on the rise, data privacy and security are more critical than ever—especially for organizations working with major tech companies like Microsoft. 

Whether you’re already a Microsoft supplier, preparing to become one, or simply looking to strengthen your organization’s security practices, understanding Microsoft DPR is essential. In this article, we’ll break down what it is, who it applies to, and how your organization can achieve compliance with confidence.

What is Microsoft DPR?

Microsoft’s Supplier Security and Privacy Assurance (SSPA) program requires all Microsoft suppliers to comply with specific security and privacy regulations when processing, storing, and transmitting data. Microsoft Data Protection Requirements (DPR) are a set of regulations that apply to all organizations within the SSPA program that process Personal Data or Microsoft Confidential Data—or both.

Microsoft Personal Data refers to any personal data processed by or on behalf of Microsoft and includes any information referring to a data subject. This includes:

  • Sensitive data;
  • Customer content data;
  • Captured and generated data; and,
  • Account data.

Microsoft Confidential Data includes any data that, if compromised, could result in financial or reputational loss for Microsoft. This includes:

  • Information on the development, testing, or manufacturing of Microsoft products; 
  • Microsoft pre-release marketing information; and,
  • Microsoft product license keys.

In order to comply with Microsoft DPR, Microsoft suppliers that process these types of data are required to submit evidence of compliance with regulations in the following areas:

  • Management;
  • Notice;
  • Choice and Consent; 
  • Collection;
  • Retention;
  • Data Subjects;
  • Disclosure to Third Parties Quality; and,
  • Monitoring and Enforcement.

For organizations with limited access to personal data or Microsoft Confidential Data, a self-assessment of compliance may be sufficient. However, organizations that present higher levels of risk may be required to submit an independent verification of compliance from a third-party auditor like BARR Advisory.  

Who Must Comply with Microsoft DPR?

Microsoft DPR compliance is an annual requirement for all Microsoft suppliers enrolled in the SSPA program. When a company becomes a Microsoft supplier, they are asked to complete a Microsoft Personal Information (MPI) inventory outlining the types of data they handle. This information is used to group vendors into one of three categories, depending on the level of risk they present to Microsoft and its customers:

  • Low business impact: Suppliers are considered low business impact if they do not handle any personal information. Typically, Microsoft does not require further action for low business impact suppliers. 
  • Moderate business impact: Suppliers are considered moderate business impact if they handle personally identifiable information (PII) that is not highly sensitive. This type of data includes names, addresses, phone numbers, and emails. Suppliers in this group must adhere to the DPR and are required to attest to their compliance on a regular basis.
  • High business impact: Suppliers are considered high business impact if they handle highly sensitive PII, such as credit card numbers, financial profiles, medical profiles, and authorization credentials. High business impact suppliers must adhere to the DPR and submit a letter of attestation from an approved third party.

If you are required to be compliant with DPR, Microsoft will provide you with a deadline for expected compliance. But even if your organization is not currently a Microsoft supplier, you may still want to pursue compliance with Microsoft DPR, especially if you plan to become a supplier in the future. 

Microsoft DPR compliance is also a smart first step for organizations pursuing compliance with other standards and frameworks. In fact, because privacy is a major component of both regulations, Microsoft DPR compliance can also help organizations meet the requirements of the General Data Protection Regulation (GDPR)—a European Union-based law that outlines strict data privacy guidelines for any organization inside or outside the EU that processes the personal data of EU residents. Achieving Microsoft DPR compliance helps assure customers, partners, and stakeholders that you are meeting the high privacy protection standards required by the GDPR.

How Can BARR Help?

At BARR Advisory, our experienced auditors are ready to help your organization achieve Microsoft DPR compliance quickly and seamlessly.

The process typically begins with a readiness assessment, during which our auditors will review your current controls and assess whether they are sufficient to meet the requirements of Microsoft DPR. Completing a readiness assessment allows us to identify any potential gaps in your data protection processes and procedures, and provide recommendations for remediation before the formal audit begins. 

Following your readiness assessment, the BARR team will write and deliver an independent assessment for you to submit to Microsoft attesting to your compliance with the standard. This process must be completed annually; however, you may need to provide Microsoft with additional updates in the interim if your risk levels change.

For a new Microsoft supplier with no previous cybersecurity compliance attestations, it typically takes one month to complete a readiness assessment, two to three months to implement the required controls, and one month to complete the independent assessment. However, this process can be streamlined if you have already achieved compliance with another security or privacy standard. For instance, Microsoft DPR has significant overlap with ISO 27001 or ISO 27701, meaning organizations that have already achieved these certifications have a leg-up in the assessment process.

In fact, in some cases, Microsoft allows suppliers that are subject to the DPR to use ISO 27001 and ISO 27701 certification as their independent assessment. While obtaining these certifications is a significantly larger undertaking than a Microsoft DPR assessment, ISO 27001 and ISO 27701 are recognized internationally as gold standards for security and privacy compliance, respectively. Achieving certification may be a smart move for organizations that are subject to broader compliance expectations from other stakeholders, partners, or vendors. 

Whether you’re a current Microsoft supplier, interested in becoming one, or simply want to improve your organization’s security posture using the Microsoft DPR, BARR is here to help. Contact us today for a free consultation.

Let's Talk