Privacy and Data Protection

Simplifying compliance with leading privacy and data protection standards like GDPR, PCI DSS, CSA STAR, and more.

Contact Us

Achieve Compliance with Leading Privacy Standards

Privacy regulations are constantly evolving, and meeting their requirements can be complex—especially when you’re navigating multiple frameworks at once. At BARR, we bring deep expertise across leading privacy frameworks and regulations, helping businesses in highly regulated industries design, implement, and sustain robust privacy programs that build trust with customers, stakeholders, and regulators. 

We don’t just help you pass an audit—we guide you in building privacy practices that reduce risk and propel your business forward. Whether you need to address a single regulatory requirement or develop a unified strategy that maps controls across multiple laws, BARR’s expert consultants provide the clarity, tools, and ongoing support needed to keep your program effective and future-ready.

Services Available

PCI DSS

Developed by major credit card companies, including Visa, MasterCard, and American Express, the standard aims to create a secure environment for processing, storing, and transmitting cardholder data. If your organization accepts or processes payment cards, you must comply with PCI DSS. 

As a PCI DSS qualified security assessor (QSA) firm, BARR Advisory helps organizations achieve PCI DSS compliance so your customers can rest assured that their data is secure as your business grows.

Learn more about BARR’s PCI DSS services.
CSA STAR

The Cloud Security Alliance’s Security, Trust, Assurance, and Risk (CSA STAR) is one of the most powerful certification programs for cloud service providers (CSPs). As an accredited certification body, BARR Advisory can perform rigorous yet efficient independent security assessments to help CSPs demonstrate their commitment to security and privacy best practices.

Once certified, your organization can register to be a part of the STAR Registry, a global database of organizations that demonstrate security and privacy best practices. 

Learn more about BARR’s CSA STAR services.
GDPR

The EU’s General Data Protection Regulation (GDPR) applies to any organization inside or outside the EU that processes the personal data of EU residents. At BARR, our expert team guides you through each step of the compliance process, from building a personal data inventory, including data flows and records of processing activities, to closing compliance gaps and implementing sustainable privacy controls. 

We tailor our approach to your business, prioritizing high-risk areas first and ensuring your program can adapt to future regulatory changes. 

Our process not only meets GDPR requirements, but also builds trust and supports alignment with other industry-recognized privacy frameworks like ISO 27701, NIST Privacy Framework, and AICPA trust services criteria for privacy. With BARR as your partner, GDPR compliance becomes a strategic advantage—not just a legal obligation.

Contact us today to learn more.
CCPA

The California Consumer Privacy Act (CCPA) applies to organizations both inside and outside of the state that handle the personal data of California residents. BARR’s expert team helps you navigate CCPA requirements, from assessing your current privacy posture to designing processes for data access, deletion, and opt-out requests. 

Our approach is risk-focused, scalable, and designed to make compliance a seamless part of your business operations. With BARR guiding the process, you won’t just meet CCPA obligations—you’ll be empowered to demonstrate a genuine commitment to trust and transparency.

Contact us today to get started.
GLBA

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to safeguard sensitive customer data and explain how that information is collected, shared, and protected. Compliance isn’t just about avoiding regulatory penalties—it’s about building trust in a competitive financial market. 

BARR’s experts help you meet the GLBA’s Privacy Rule and Safeguards Rule requirements through a tailored, step-by-step approach. Our process includes risk assessments, policy development, vendor management reviews, and ongoing monitoring to keep your program resilient against evolving threats. With BARR as your compliance partner, you not only satisfy GLBA requirements—you strengthen your reputation for protecting client data.

Contact us today for a free consultation.
Microsoft DPR

Microsoft’s Supplier Security and Privacy Assurance (SSPA) program requires all Microsoft suppliers to comply with privacy and security regulations when processing, storing, and transmitting data.

Microsoft Data Protection Requirements (DPR) are a set of regulations that apply to Microsoft suppliers that process personal data or Microsoft Confidential Data. Microsoft DPR compliance is an annual requirement for all Microsoft suppliers enrolled in the SSPA program. If you are required to be compliant with DPR, Microsoft will provide you with a deadline for expected compliance.

Even if your organization is not currently a Microsoft supplier, a Microsoft DPR attestation is a great first step if you plan to become a supplier in the future or if you wish to work toward control coverage under the General Data Protection Regulation (GDPR). With BARR’s extensive experience in audit services, we’ll help your company achieve Microsoft DPR compliance quickly and seamlessly.

Download PDF

How It Works

Phase I Readiness Assessment

This is the assessment of your current controls against one or more privacy and data protection standards, including PCI DSS, CSA STAR, GDPR, Microsoft DPR, and more. This process allows us to identify any potential gaps and provide recommendations for remediation prior to the audit. If you already have a SOC 2 report or an ISO 27001 certification, this will likely reduce the number of gaps identified.

Phase II Independent Assessment

Following your readiness assessment, we perform and deliver one or more independent assessments over your selected privacy and data protection standards. 

For PCI DSS, this can include PCI DSS reports on compliance (RoC), PCI DSS attestations of compliance (AoC), and QSA-assisted self-assessment questionnaires (SAQs).

Contact Us for a Free Consultation

We’re here to help you!
Speak with a BARR specialist about your security and compliance needs.
Connect With BARR

Frequently Asked Questions

What is PCI DSS compliance?

PCI DSS is a set of security standards established to safeguard payment card information and prevent unauthorized access. Developed by major credit card companies, including Visa, MasterCard, and American Express, the standard aims to create a secure environment for processing, storing, and transmitting cardholder data. Read our blog “Understanding PCI DSS: A Guide to the Payment Card Industry Data Security Standard.”

What are the benefits of PCI DSS compliance?

There are multiple benefits of a PCI DSS audit, including protecting your customer data, building stakeholder trust, meeting business requirements, and avoiding fines and penalties. With BARR’s PCI DSS compliance services, you can rest assured that your organization will meet compliance requirements.

Who needs a PCI DSS attestation of compliance?

PCI DSS applies to all entities that store, process, and/or transmit cardholder data. If your organization accepts or processes payment cards, you must comply with PCI DSS. Depending on your organization’s needs, BARR’s PCI DSS compliance solutions include PCI DSS reports on compliance (RoC), PCI DSS attestations of compliance (AoC), and QSA-assisted self-assessment questionnaires (SAQs).

What does a PCI DSS audit look like?

BARR’s attest services team has developed a proven process that makes completing a PCI DSS compliance audit simple. It begins with a planning stage, where you’ll work with our team to set expectations and determine the scope of the engagement. Next, your auditor will assess your organization’s cardholder data environment (CDE), including completing policy reviews, system evidence reviews, and interviews with your team. When the assessment period ends, you will either complete a QSA-assisted self-assessment questionnaire (SAQ), or receive a PCI DSS report on compliance (RoC) or PCI DSS attestation of compliance (AoC) from BARR on the results of the audit.

How long goes a PCI DSS audit take?

With BARR’s PCI DSS compliance solutions, our PCI DSS auditors help organizations prepare for and successfully achieve PCI DSS compliance seamlessly within three to six months, depending on the client’s needs and the PCI DSS services they are utilizing.

Is PCI DSS mandatory?

While PCI DSS is not a legal requirement, it is mandated by the PCI Security Standards Council. If your organization stores, processes, and/or transmits cardholder data, you are likely required to comply with PCI DSS.

What are the benefits of CSA STAR?

There are multiple benefits to achieving a CSA STAR certification or a CSA STAR attestation. In addition to providing assurance to your customers and stakeholders, CSA STAR can help your organization achieve compliance with other powerful compliance frameworks and can differentiate your organization as one that takes cloud security seriously.

Who should comply with CSA STAR?

Achieving a CSA STAR certification or a CSA STAR attestation is a great choice for any cloud service provider looking to provide an extra level of assurance to their customers and stakeholders.

What's the difference between CSA STAR certification and a CSA STAR attestation?

When CSA STAR is added to an ISO engagement, the result is a CSA STAR certification. When CSA STAR is added to a SOC 2 engagement, the result is a CSA STAR attestation. Speak to one of BARR’s CSA STAR auditors today to learn more about the right path for your organization.

What types of data are relevant to the Microsoft SSPA program?

The type(s) of data your organization processes will determine the scope of your assessment.

Microsoft Personal Data means any Personal Data processed by or on behalf of Microsoft and includes any information referring to a data subject, such as:

  • Sensitive data
  • Customer content data
  • Captured and generated data
  • Account data

Microsoft Confidential Data includes any data which, if compromised, could result in financial or reputational loss for Microsoft, such as:

  • Information on the development, testing, or manufacturing of Microsoft products
  • Microsoft pre-release marketing information
  • Microsoft product license keys
How is compliance with Microsoft DPR measured?

Microsoft suppliers are required to submit evidence of compliance with the following regulations that make up Microsoft DPR:

  • Management
  • Notice
  • Choice and Consent
  • Collection
  • Retention
  • Data Subjects
  • Disclosure to Third Parties
  • Quality
  • Security
  • Monitoring and Enforcement
How long does the assessment and auditing process take for Microsoft DPR?

The length of time it takes to complete a readiness assessment and audit varies from company to company and depends on a variety of factors, including the size of the company, the complexity of the organization, and its current security posture. If a company already has a SOC 2 report, the assessment period will be quicker. For a new BARR client without a SOC 2 report, it typically takes one month to complete the readiness assessment, two to three months to complete the needed requirements, and one month for BARR to complete the independent assessment over the DPR.

How can Microsoft DPR be used to obtain coverage under the GDPR?

Privacy is a major component of Microsoft DPR, making it an excellent framework for organizations to work toward control coverage of the GDPR. Compliance with Microsoft DPR can provide organizations with internal assurance that they are meeting many of the GDPR requirements they may be subject to. As part of our readiness assessment, BARR can also map controls and identify gaps between the DPR requirements and other frameworks, too.

How are ISO 27001 and Microsoft DPR related?

Multiple controls overlap with coverage under ISO 27001, ISO 27077, and the DPR. In some cases, Microsoft will allow suppliers subject to the DPR to substitute the independent assessment over the DPR for ISO 27001 and 27077 certifications.

Why BARR for Privacy Assessments

Our kickoff meeting helps prepare your organization well before the start of your engagement—giving you the knowledge and confidence you need to achieve compliance.
We serve the most regulated industries, including technology, financial services, healthcare and government.
Not only are BARR reports delivered on-time, 40% are delivered early, with quality guaranteed.
Expertise that can simplify the complex nature of today’s most popular privacy and data protection standards.
We put you and your business first, providing unparalleled communication and accessibility at all times.
Competitive, fixed rates to accommodate growing enterprises.

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.