Filed under: SSPA Compliance

October 25, 2017

If you’re a supplier for Microsoft who handles sensitive information, you are likely well aware of the Supplier Security and Privacy Assurance program (SSPA).

The SSPA’s Data Protection Requirements (DPR) recently received an update that represents a significant change to the contents and direction of the program. The revision was intended to update the previous framework for the General Data Protection Regulations (GDPR) coming out of the EU, which will be effective in May, 2018.

As a result, the revised framework has some new requirements, which suppliers need to be aware of to remain compliant. In addition, other existing requirements were clarified or enhanced, and others still were removed.

What Are the Changes?

The first change amounts to a vocabulary update. The framework continues to address security concerns over two primary populations of information. The terms used, and the specific definitions of those information sets, have changed and carry some consequence as well.

  • The first type of information is “Microsoft Personal Information,” which does not receive a name change in the revised framework. Its definition, however, has been updated to consider the GDPR definition of related information. Microsoft Personal Information is simply Personal Information that is processed by, or on behalf of, Microsoft. Personal Information is further defined in the framework as, “any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier; or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”  This represents a major shift in philosophy, related to the expanded ways that a person can be identified. Location data and online identifiers – such as browsing history – are data categories that have a greater focus in this update.
  • The term “Processed” is also further defined in the Microsoft DPR and the GDPR as, “any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Again, this is a broader definition of this key term and may result in additional suppliers being subject to the SSPA evaluation process, or existing SSPA suppliers being subject to the process in different ways.
  • The second type of information is “Microsoft Confidential Information,” which was previously referred to as “Microsoft Sensitive Information.” Incidentally, Microsoft Sensitive Information is still a defined term in the Microsoft DPR, but it is now used as an umbrella term for both confidential and personal information. Microsoft Confidential Information is relatively unchanged in its definition and scope. It’s defined as, “any information which, if compromised through confidentiality or integrity means, can result in significant reputational or financial loss for Microsoft. This includes, but is not limited to: Microsoft hardware and software products, internal line-of-business applications, pre-release marketing materials, product license keys, and technical documentations related to Microsoft products and services.”

New Protection Requirements

This revision established some new protection requirements as well. Some of the more significant changes are as follows:

  • The previous version of the DPRs contained a link that suppliers could use to distribute Microsoft-hosted privacy training materials. Going forward, the training requirement is still there, but the supplier is now expected to develop their own privacy training that is tailored to their operations. If you need a place to start, the DPRs suggest that you email and they can make a template available.
  • The revised DPRs acknowledge that the supplier community is on a global scale and a variety of local laws mandate different standards of care around privacy and security of personal information. The supplier will have a duty to inform Microsoft to the extent that local laws require a deviation from processing instructions regarding personal information. And in some cases, the supplier may not be able to process that information.
  • For those suppliers that manage websites for Microsoft, the revised DPRs require a notice and choice provision regarding the use of cookies. The use of cookies must align with the Microsoft Privacy Statement, as well as the rules established by the EU.
  • For suppliers that use subcontractors in their work with Microsoft, the supplier must now formally acknowledge that they remain fully liable to Microsoft for the performance of any work by a subcontractor.
  • Maintaining a mobile device policy has always been an assumed requirement within the context of logical control requirements and handling of terminated employees, but the revised DPRs have now added an explicit requirement.
  • Suppliers are now required to maintain an inventory of all information assets used to deliver services to Microsoft. They must also include:
    • The identification of the owner and/or user of the equipment,
    • An acknowledgement by that individual of an acceptable use policy,
    • The location of the device,
    • The classification of Microsoft data held on that device,
    • A record of asset retrieval upon termination of an employee, and
    • A record of data storage media disposal, when it is no longer required.
  • The previous DPRs referred to the maintenance of logical controls and physical controls, but without any specificity to any required controls. The revised DPRs now provide for very specific requirements in this area.

This framework/program remains a broad-based set of requirements. As has been the case to this point, the revised requirements will impact some suppliers more significantly than others. No matter the degree of impact, all suppliers that process Microsoft Sensitive Information will be required to be compliant with applicable portions of the new framework by no later than March 31, 2018.


Please contact Pete Miller if you have questions.

© Clark Nuber PS and Developing News, 2017. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Clark Nuber PS and Developing News with appropriate and specific direction to the original content.

This article contains general information only and should not be construed as accounting, business, financial, investment, legal, tax, or other professional advice or services. Before making any decision or taking any action, you should engage a qualified professional advisor.