Have you been asked by Microsoft to complete an independent assessment of your compliance with their Data Protection Requirements (DPRs)?
Has SSPA suddenly become a time-critical priority? You’re not alone, many suppliers receive unexpected requests, and Microsoft requires fast, accurate responses.
Why this matters
As part of the Microsoft procurement process, vendors or suppliers who would like to contract with Microsoft may be required to participate in the Supplier Security and Privacy Assurance (SSPA) programme. Microsoft created the SSPA program to test whether its suppliers can demonstrate a minimum standard of security, privacy and AI compliance as defined in the program data protection requirements, or DPRs.
How the Program works
Firstly, Microsoft needs to determine which of the DPR controls it believes are applicable to the Supplier’s business. To do this, the Supplier first answers profile questions about the services they provide and the nature of the Microsoft data they would like to process e.g. confidential data, personal data, sensitive data etc.
This information determines which of the DPRs the Supplier will be asked to self-assess against. Responses will be reviewed by the SSPA Team at Microsoft and, if required, they may seek clarifications.
Depending on the answers provided when the Supplier Questionnaire was completed, Microsoft may then require that the self-assessment is validated by an external, third-party assessor. Further guidance on the ‘triggers’ for external assessment can be found in the official Program Guide here. Remember to check the official resources regularly for updates to the program guide and the DPRs.
If Microsoft has selected your organisation for an Independent Assessment, you must complete it before they will issue any future Purchase Orders.
Planning your assessment
Both self-assessments and external assessments are annual requirements. The date you joined the program will determine your ‘SSPA Anniversary’ date. This date marks the beginning of a 90-day window in which to complete your assigned tasks i.e. profile updates, self-assessment and external assessment.
Identifying, collating and assessing the required evidence can take 6-8 weeks (or longer). Make sure that you have engaged an external assessor with plenty of time to spare. Whilst extensions of up to an additional 90-days can be applied for, these are the exception and not the norm.
How can iCompli help.
Our team of experienced, IAPP-certified (CIPP/E) privacy assessors, will guide you safely through the entire Independent Assessment process—from initial review to the final, Microsoft-approved Letter of Attestation.
Not sure about your Supplier Profile? No problem, we can help you understand how the answers to the profile questions affect your ability to contract with Microsoft and the impact this will have on your assessment type (self-assessment or independent assessment).
If you are wondering what some of the data protection requirements (DPRs) mean, our assessors can explain what each of them requires, making sure you can quickly identify relevant evidence to support your compliance claim.
Have you got limited resources and are running out of time to complete your assigned tasks? We can secure deadline, or bridging, extensions on your behalf, communicate directly with the SSPA Help Team, and ensure you have sufficient time to gather all the required evidence of compliance.
Timescales are usually tight! The request for an independent assessment is often unexpected, but we can get you back on track with a simple, fixed cost program.
Set up a call today and get your Supplier assessment ‘ticked off’.
Or email at info@icompli.co.uk
Want to know more about the SSPA process?
Visit our SSPA Resource hub for key resources and guidance