There is good reason for the increased confusion around data privacy and security compliance requirements for Microsoft Suppliers (vendors). On December 17, 2018, Microsoft released version 5 of its Supplier Security & Privacy Assurance (SSPA) Program, which differs significantly from version 4.
Some Microsoft Suppliers have worked with the Redmond, Washington company for decades but had never been required to formally demonstrate their data protection practices – until now. Other Suppliers have previously submitted a self-attestation to show Microsoft they were following the Data Protection Requirements (DPR), but were never required to engage a third party to verify their compliance. Over the past several months, Peterson Sullivan’s IT Risk Services team has partnered with many Microsoft Suppliers to help them navigate Microsoft’s new SSPA Program, the updated DPR, and the DPR Independent Assessment process.
Prior to the December 17, 2018 SSPA Program update, Microsoft used a three-tiered system to classify Suppliers as High Business Impact (HBI), Moderate Business Impact (MBI), and Low Business Impact (LBI). Classification was determined based on the level of risk Microsoft associated with the data handled by each Supplier – HBI included data such as social security numbers, credit card numbers, and medical records; MBI included contact information such as phone numbers or data points including religious beliefs and sexual orientation; and LBI included other data. Only Suppliers classified as HBI were required to undergo an independent attestation (audit) of their compliance with Microsoft’s DPR.
Under the new SSPA Program (version 5), no supplier is required to provide an attestation report; however, Microsoft has expanded the number of Suppliers who are required to undergo an Independent Assessment. The Independent Assessment helps demonstrate a Supplier’s compliance with the new DPR and is performed by an Independent Assessor based on the Supplier’s Self-Assessment of their DPR compliance.
The driver behind the expanded applicability of an Independent Assessment is Microsoft’s updated process to risk-rate and classify Suppliers. Instead of the HBI, MBI, LBI classification process, Microsoft now classifies Suppliers based on whether they Process Personal Data, Confidential Data, or both, in performing the terms of their Microsoft purchase order or contract. If the Supplier is determined to Process Personal or Confidential Data, the Supplier is typically required to Self-Attest to complying with Microsoft’s DPR and undergo an Independent Assessment to help verify compliance. The full list of what constitutes as Personal or Confidential Data is included in version 5 of the SSPA Program Guide. Essentially, the list includes data that was previously within the HBI and MBI data classification types.
The new, more nuanced SSPA Program guidelines can be confusing, especially for Suppliers who entered 2019 with the belief they were in the clear with Microsoft compliance activities. Unfortunately, failure to comply timely can mean a hold placed on the supplier’s account, disrupting current projects, or in-flight purchase orders. For support in navigating your own Microsoft SSPA compliance requirements and to learn more about Peterson Sullivan’s Independent Assessment process, please reach out to Maddie Hall, IT Risk Manager.