Achieving Microsoft SSPA Compliance: A Supplier’s Guide to DPR v9 Updates

By Anthony DiGiulian, Director | Risk

As a Microsoft supplier, safeguarding the data entrusted to you by Microsoft and its customers is important. To ensure the highest level of data protection while reducing risk, Microsoft requires its suppliers to demonstrate their compliance with the Data Protection Requirements (DPR) and the Supplier Security and Privacy Assurance (SSPA) program. This is performed annually through self-attestation and independent assessment.

In line with evolving industry standards and customer expectations, the latest updates to the DPR and SSPA program will affect your organization and its related tasks. Read on to understand the impacts on your business and how to respond.

11 DPR Requirement Updates in 2024

The 2024 DPR version 9 (v9) has enforced 11 changes to existing requirements involving language refinements and clarifications, including the integration of protected health information (PHI) data:

  1. DPR v9 #2: Supplier must have a documented privacy and security program.
  2. DPR v9 #4: Supplier must have a documented privacy and security training program.
  3. DPR v9 #27: Supplier must limit subcontractor access to personal data.
  4. DPR v9 #36: Supplier must conduct network assessments at least annually.
  5. DPR v9 #38: Supplier must maintain an inventory of assets that store, process, or transmit personal data.
  6. DPR v9 #39: Supplier must implement access management controls for personal data.
  7. DPR v9 #40: Supplier must implement encryption controls for personal data.
  8. DPR v9 #41: Supplier must implement backup and recovery controls for personal data.
  9. DPR v9 #43: Supplier must implement logging and monitoring controls for personal data.
  10. DPR v9 #45: Supplier must implement incident response and notification controls for personal data.
  11. DPR v9 #52: Supplier must comply with Microsoft security standards.

New and existing suppliers must adhere to these updated requirements in FY24. If you’re a supplier who processes PHI data, there is additional complexity and scrutiny of your data protection and security compliance.

New Requirements for Suppliers Processing PHI Data

A key update in the 2024 DPR v9 is the designation of processing PHI data as a high-risk activity. Therefore, suppliers handling PHI data for Microsoft should also note the following updates:

  • An independent assessment is required annually to verify your compliance with the DPR.
  • PHI specifics have been added to the “personal data by data type” table included and defined within the latest SSPA program.
  • Two new requirements have been introduced to enhance supplier accountability and responsibility when handling PHI data:
    • DPR v9 #5: Demonstrable sanctions must apply when an employee fails to comply with privacy and security company policy.
    • DPR v9 #13: When a supplier receives data with reduced identifiability, they’re not to re-identify but to maintain the data in the state received.

Microsoft has also introduced a subprocessor role. Subprocessors are subcontractors hired by Microsoft to perform work that may require access to data managed by suppliers. The subprocessor role will be added to a supplier account based on identification and approvals from internal privacy teams. Subprocessors will help enforce supplier adherence to the data protection and security rules.

Benefits of a Microsoft Preferred Assessor for Your SSPA

Annual attestation and independent assessments are required for all Microsoft suppliers who meet the data processing requirements defined within the approvals section of the SSPA program. Working with an experienced third-party assessor can help organizations simplify and accelerate the SSPA certification process (or become a supplier), including:

  • Achieving SSPA compliance in 60 days or less
  • Accessing knowledgeable experts versed on the latest DPR requirements
  • Implementing efficient, automated processes with cloud-based technology
  • Gaining exceptional service at a competitive price aligned with your budget

Stay ahead of the curve with the latest Microsoft DPR and SSPA updates. With evolving requirements and increased scrutiny, supplier accountability is necessary, and a Microsoft-preferred assessor can streamline your SSPA journey. To learn more or to speak with an SC&H SSPA expert, please send us a message.