What is Microsoft DPR?

Microsoft’s Supplier Security and Privacy Assurance (SSPA) program requires all Microsoft suppliers to comply with privacy and security regulations when processing, storing, and transmitting data. 

Microsoft Data Protection Regulations (DPR) are a set of regulations that apply to Microsoft suppliers that process Personal Data or Microsoft Confidential Data. Microsoft DPR compliance is an annual requirement for all Microsoft suppliers enrolled in the SSPA program. If you are required to be compliant with DPR, Microsoft will provide you with a deadline for expected compliance. 

Even if your organization is not currently a Microsoft supplier, a Microsoft DPR attestation is a great first step if you plan to become a supplier in the future or if you wish to work toward control coverage under the General Data Protection Regulation (GDPR). With BARR’s extensive experience in audit services, we’ll help your company achieve Microsoft DPR compliance quickly and seamlessly.

How It Works

Phase I  Readiness Assessment

This is the assessment of your current controls against Microsoft DPR. This process allows us to identify any potential gaps and provide solution recommendations prior to the audit. If you already have a SOC 2 report or an ISO 27001 certification, this will likely reduce the number of gaps identified. 

Phase II Independent Assessment

Following your readiness assessment, we perform and deliver an independent assessment over Microsoft DPR for you to submit to Microsoft.

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.

Microsoft DPR Resources

Why BARR for Microsoft DPR

Get a look at key steps and deliverables you can expect when partnering with BARR for your Microsoft DPR attestation.

Download PDF

Microsoft DPR FAQ

What types of data are relevant to the SSPA program? 

The type(s) of data your organization processes will determine the scope of your assessment.

Microsoft Personal Data means any Personal Data processed by or on behalf of Microsoft and includes any information referring to a data subject, such as:

  • Sensitive data
  • Customer content data
  • Captured and generated data
  • Account data

Microsoft Confidential Data includes any data which, if compromised, could result in financial or reputational loss for Microsoft, such as:

  • Information on the development, testing, or manufacturing of Microsoft products
  • Microsoft pre-release marketing information
  • Microsoft product license keys

How is compliance measured? 

Microsoft suppliers are required to submit evidence of compliance with the following regulations that make up Microsoft DPR: 

  1. Management
  2. Notice
  3. Choice and Consent 
  4. Collection
  5. Retention
  6. Data Subjects 
  7. Disclosure to Third Parties
  8. Quality
  9. Security
  10. Monitoring and Enforcement

How long does the assessment and auditing process take? 

The length of time it takes to complete a readiness assessment and audit varies from company to company and depends on a variety of factors, including the size of the company, the complexity of the organization, and its current security posture. If a company already has a SOC 2 report, the assessment period will be quicker. For a new BARR client without a SOC 2 report, it typically takes one month to complete the readiness assessment, two to three months to complete the needed requirements, and one month for BARR to complete the independent assessment over the DPR. 

How can Microsoft DPR be used to obtain coverage under the GDPR?

Privacy is a major component of Microsoft DPR, making it an excellent framework for organizations to work toward control coverage of the GDPR. Compliance with Microsoft DPR can provide organizations with internal assurance that they are meeting many of the GDPR requirements they may be subject to. As part of our readiness assessment, BARR can also map controls and identify gaps between the DPR requirements and other frameworks, too.  

How are ISO 27001 and Microsoft DPR related? 

Multiple controls overlap with coverage under ISO 27001, ISO 27077, and the DPR. In some cases, Microsoft will allow suppliers subject to the DPR to substitute the independent assessment over the DPR for ISO 27001 and 27077 certifications. 

Why BARR for Microsoft DPR Compliance

  • BARR provides a collaborative, hands-on approach tailored your company’s unique needs
  • Expertise that can simplify the complex nature of Microsoft DPR
  • Trusted provider to some of the fastest growing cloud service providers (SaaS, IaaS, PaaS)
  • Nearly 100% client retention rate

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.