Privacy Assessments

Simplifying Microsoft DPR, GDPR, CCPA, and GLBA compliance solutions

Achieve Compliance with Leading Privacy Standards

Privacy regulations are constantly evolving, and meeting their requirements can be complex—especially when you’re navigating multiple frameworks at once. At BARR, we bring deep expertise across leading privacy frameworks and regulations, helping businesses in highly regulated industries design, implement, and sustain robust privacy programs that build trust with customers, stakeholders, and regulators. 

We don’t just help you pass an audit—we guide you in building privacy practices that reduce risk and propel your business forward. Whether you need to address a single regulatory requirement or develop a unified strategy that maps controls across multiple laws, BARR’s expert consultants provide the clarity, tools, and ongoing support needed to keep your program effective and future-ready.

Services Available

The EU’s General Data Protection Regulation (GDPR) applies to any organization inside or outside the EU that processes the personal data of EU residents. At BARR, our expert team guides you through each step of the compliance process, from building a personal data inventory, including data flows and records of processing activities, to closing compliance gaps and implementing sustainable privacy controls. 

We tailor our approach to your business, prioritizing high-risk areas first and ensuring your program can adapt to future regulatory changes. 

Our process not only meets GDPR requirements, but also builds trust and supports alignment with other industry-recognized privacy frameworks like ISO 27701, NIST Privacy Framework, and AICPA trust services criteria for privacy. With BARR as your partner, GDPR compliance becomes a strategic advantage—not just a legal obligation.

The California Consumer Privacy Act (CCPA) applies to organizations both inside and outside of the state that handle the personal data of California residents. BARR’s expert team helps you navigate CCPA requirements, from assessing your current privacy posture to designing processes for data access, deletion, and opt-out requests. 

Our approach is risk-focused, scalable, and designed to make compliance a seamless part of your business operations. With BARR guiding the process, you won’t just meet CCPA obligations—you’ll be empowered to demonstrate a genuine commitment to trust and transparency.

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to safeguard sensitive customer data and explain how that information is collected, shared, and protected. Compliance isn’t just about avoiding regulatory penalties—it’s about building trust in a competitive financial market. 

BARR’s experts help you meet the GLBA’s Privacy Rule and Safeguards Rule requirements through a tailored, step-by-step approach. Our process includes risk assessments, policy development, vendor management reviews, and ongoing monitoring to keep your program resilient against evolving threats. With BARR as your compliance partner, you not only satisfy GLBA requirements—you strengthen your reputation for protecting client data.

Microsoft’s Supplier Security and Privacy Assurance (SSPA) program requires all Microsoft suppliers to comply with privacy and security regulations when processing, storing, and transmitting data.

Microsoft Data Protection Regulations (DPR) are a set of regulations that apply to Microsoft suppliers that process personal data or Microsoft Confidential Data. Microsoft DPR compliance is an annual requirement for all Microsoft suppliers enrolled in the SSPA program. If you are required to be compliant with DPR, Microsoft will provide you with a deadline for expected compliance.

Even if your organization is not currently a Microsoft supplier, a Microsoft DPR attestation is a great first step if you plan to become a supplier in the future or if you wish to work toward control coverage under the General Data Protection Regulation (GDPR). With BARR’s extensive experience in audit services, we’ll help your company achieve Microsoft DPR compliance quickly and seamlessly.

How It Works

Phase I Readiness Assessment

This is the assessment of your current controls against Microsoft DPR. This process allows us to identify any potential gaps and provide solution recommendations prior to the audit. If you already have a SOC 2 report or an ISO 27001 certification, this will likely reduce the number of gaps identified.

Phase II Independent Assessment

Following your readiness assessment, we perform and deliver an independent assessment over Microsoft DPR for you to submit to Microsoft.

Contact Us for a Free Consultation

We’re here to help you!
Speak with a BARR specialist about your security and compliance needs.

Frequently Asked Questions

The type(s) of data your organization processes will determine the scope of your assessment.

Microsoft Personal Data means any Personal Data processed by or on behalf of Microsoft and includes any information referring to a data subject, such as:

  • Sensitive data
  • Customer content data
  • Captured and generated data
  • Account data

Microsoft Confidential Data includes any data which, if compromised, could result in financial or reputational loss for Microsoft, such as:

  • Information on the development, testing, or manufacturing of Microsoft products
  • Microsoft pre-release marketing information
  • Microsoft product license keys

Microsoft suppliers are required to submit evidence of compliance with the following regulations that make up Microsoft DPR:

  • Management
  • Notice
  • Choice and Consent
  • Collection
  • Retention
  • Data Subjects
  • Disclosure to Third Parties
  • Quality
  • Security
  • Monitoring and Enforcement

The length of time it takes to complete a readiness assessment and audit varies from company to company and depends on a variety of factors, including the size of the company, the complexity of the organization, and its current security posture. If a company already has a SOC 2 report, the assessment period will be quicker. For a new BARR client without a SOC 2 report, it typically takes one month to complete the readiness assessment, two to three months to complete the needed requirements, and one month for BARR to complete the independent assessment over the DPR.

Privacy is a major component of Microsoft DPR, making it an excellent framework for organizations to work toward control coverage of the GDPR. Compliance with Microsoft DPR can provide organizations with internal assurance that they are meeting many of the GDPR requirements they may be subject to. As part of our readiness assessment, BARR can also map controls and identify gaps between the DPR requirements and other frameworks, too.

Multiple controls overlap with coverage under ISO 27001, ISO 27077, and the DPR. In some cases, Microsoft will allow suppliers subject to the DPR to substitute the independent assessment over the DPR for ISO 27001 and 27077 certifications.

Why BARR for Privacy Assessments

BARR provides a collaborative, hands-on approach tailored your company’s unique needs
Expertise that can simplify the complex nature of Microsoft DPR
Trusted provider to some of the fastest growing cloud service providers (SaaS, IaaS, PaaS)
40% of BARR’s reports are delivered early

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.