Are you looking for a Microsoft supplier independent assessor to conduct a Microsoft SSPA Independent Assessment on your organisation? The purpose of the assessment is to independently assess whether your organisation (which is a supplier to Microsoft and processes personal data for it) complies with the Microsoft Supplier Data Protection Requirements (DPR). As an independent assessor, we give Microsoft assurance that your organisation (as a supplier) meets Microsoft security and privacy requirements. This is part of the Microsoft SSPA Program.

We conduct a variety of assessments regarding a number of different data protection standards.

What is supplier compliance?

Most organisations who are controllers want their suppliers who process personal data for them (or processors) to meet their security and privacy requirements. Their contracts often contain contractual obligations and the law places obligations on processors. But, how does the organisation get assurance that the processor has, in fact, met those obligations? This is where an independent assessor such as ourselves plays a role in conducting an assessment and providing assurance.

How you benefit from a Microsoft SSPA Independent Assessment?

Microsoft may select your organisation to provide independent assurance to Microsoft by getting an independent assessor to complete an assessment against the DPR. But your organisation is going to pay for it, so what’s in it for you?

  • Well, you get to be a supplier to Microsoft. If you don’t, Microsoft isn’t going to be using you as a supplier.
  • You’ll be better at security and privacy, which will make you look good in the eyes of all your customers (controllers).
  • You’ll avoid the risks of non-compliance with data protection laws.

The process we follow as a Microsoft supplier independent assessor

We generally carry out the following steps as an independent assessor:

  • set up an initial consultation with you to understand how you’re processing Microsoft Confidential and Personal Data and any other personal data on their behalf;
  • have additional meetings with specific technical or operational personnel within your organisation or your key external service providers to better understand the details of your processing;
  • ask you to send us certain documents to review, such as various contracts, policies and certifications, to make sure that you’re complying with the DPR;
  • ask follow-up questions of you and your personnel to fill in any gaps in our understanding so that we have a clear picture of your level of compliance;
  • draft a clear and succinct written report of your current level of compliance with the DPR, which includes an assessment of whether you comply with each requirement or not and what you can do to achieve compliance;
  • provide you with estimates for any documents or services we can provide or recommendations of other service providers to help you fulfil any outstanding requirements; and
  • send you a signed independent assessment letter to send to Microsoft confirming your compliance once we are satisfied that you’ve fulfilled any outstanding requirements, either by using our documents or services or those you’ve obtained elsewhere.

We perform this process systematically and are ready to adapt to special circumstances, such as by conducting the entire process remotely via video conferencing.

Why we are qualified?

  • We hold privacy-specific certifications that Microsoft requires of independent assessors, such as the CIPP/E.
  • We’ve done it before.
  • We are not yet on the Microsoft preferred assessors list but we aim to be on it soon.

How to prepare for the assessment?

You should make your organisation ready for the assessment.

Identify a primary point of contact, usually your data protection or information officer, who will manage the project from your side and coordinate with us in performing the assessment.

Get in touch with the specific technical or operational personnel within your organisation and your key external service providers to manage their expectations and prepare them to interact with us.

Collate the necessary documents for us to review, such as:

  1. all relevant contracts between your organisation and Microsoft and between your organisation and key personnel or service providers;
  2. information security, incident response and other relevant policies; and
  3. proof of ISO, SOC 2 and other relevant certifications.