What types of data are relevant to the SSPA program?
The type(s) of data your organization processes will determine the scope of your assessment.
Microsoft Personal Data means any Personal Data processed by or on behalf of Microsoft and includes any information referring to a data subject, such as:
- Sensitive data
- Customer content data
- Captured and generated data
- Account data
Microsoft Confidential Data includes any data which, if compromised, could result in financial or reputational loss for Microsoft, such as:
- Information on the development, testing, or manufacturing of Microsoft products
- Microsoft pre-release marketing information
- Microsoft product license keys
How is compliance measured?
Microsoft suppliers are required to submit evidence of compliance with the following regulations that make up Microsoft DPR:
- Management
- Notice
- Choice and Consent
- Collection
- Retention
- Data Subjects
- Disclosure to Third Parties
- Quality
- Security
- Monitoring and Enforcement
How long does the assessment and auditing process take?
The length of time it takes to complete a readiness assessment and audit varies from company to company and depends on a variety of factors, including the size of the company, the complexity of the organization, and its current security posture. If a company already has a SOC 2 report, the assessment period will be quicker. For a new BARR client without a SOC 2 report, it typically takes one month to complete the readiness assessment, two to three months to complete the needed requirements, and one month for BARR to complete the independent assessment over the DPR.
How can Microsoft DPR be used to obtain coverage under the GDPR?
Privacy is a major component of Microsoft DPR, making it an excellent framework for organizations to work toward control coverage of the GDPR. Compliance with Microsoft DPR can provide organizations with internal assurance that they are meeting many of the GDPR requirements they may be subject to. As part of our readiness assessment, BARR can also map controls and identify gaps between the DPR requirements and other frameworks, too.
How are ISO 27001 and Microsoft DPR related?
Multiple controls overlap with coverage under ISO 27001, ISO 27077, and the DPR. In some cases, Microsoft will allow suppliers subject to the DPR to substitute the independent assessment over the DPR for ISO 27001 and 27077 certifications.