SSPA DPRs version 9. What you need to know.

comparison chart screenshot

SSPA DPRs version 9. What you need to know.


Microsoft has updated its data protection requirements (DPRs) for its Supplier Security & Privacy Assurance program (SSPA). .

Whilst thirty-nine of the previous fifty version 8 DPRs remain unchanged, there are two NEW REQUIREMENTS in version 9, DPR 5 and DPR 13 bringing the total number of DPRs in this latest version to fifty-two.

  • DPR 5 requires the Microsoft supplier to ‘Apply appropriate sanctions against employees who fail to comply with supplier’s privacy and security policies’. As an auditor, we are looking to your HR policies for alignment with your information securoty policies i.e., make explicit mention of disciplinary procedures and what might envoke them.
  • DPR 13 requires the Microsoft supplier to maintain the data in the state in which it was received i.e., if received in pseudonymised format, it must not be processed such that individuals are re-identified. The supplier should maintain policy and procedure to ensure this requirement is consistently achieved. Clearly this applies to personal data, not confidential data. Your auditor will be looking for evidence of the format data is received e.g., is it 'personal data' (relating to an identified or identifiable natural person), and have you carried out any processing which might remove or add personal identifiers.

Notable amendments include.

Several DPRs are amended to reinforce protection of personal data that is health related, particularly data that is protected under the US legislation, the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Specific HIPAA requirements will not impact on SSPA organisations outside of the US, however, the increased focus on 'health related personal data (special category data 'SCD' in GDPR terminology) is an impoertant change. Your auditor will be lookng for any SCD in your data flows.

  1. DPR 32 – the strengthening of the data integrity requirement to include a ‘review of information system activity’. This is an ‘on request’ requirement, but suppliers should consider how they would demonstrate what activity has taken place in information systems that may lead to a change in data integrity e.g., access logs.
  2. DPR 36 – the strengthening of the network security assessment requirement to include ‘assessment of potential risks and vulnerabilities’. Those familiar with the GDPR requirement for data protection impact assessment (DPIAs) will be able to incorporate these into their SSPA assessments. As with previous versions, a valid ISO 27001 certificate will exempt you from these Section J requirements. [Expert tip: remember to inform Microsoft of your ISO certificate to ensure section J is removed from your self-assessment questions.] 
  3. DPR 38 -  the strengthening of the asset management requirement to include the management of VIRTUAL assets e.g., virtual machines and other cloud based server/storage technology.
  4. DPR 39 -  the strengthening of the access management requirement to include automatic log-off after inactivity.
  5. DPR 40 -  the strengthening of the patch management requirement to include monthly vulnerability scans.
  6. DPR 45 -  the strengthening of the security training requirement to include log-in and password risk (a consistent weakness in data protection), and expansion to include all those who have access to Microsoft personal data and confidential data. NB this could prove challenging when demonstrating that suppliers who access the data have sufficient training.


Version 8/9 comparison chart

For a free comparison chart drop us an email at, and ask for your copy.