Microsoft's Data Protection Requirements (DPR) renewed in 2022

Prepare for your 2023 SSPA cycle by reviewing the changes

SSPA Compliance is a core requirement for all Microsoft suppliers who want to be available for business that involve Personal or Confidential data handling. It is essential that suppliers are familiar with Supplier Security and Privacy Assurance (SSPA) Program requirements and to be on time when it comes to completing their annual SSPA requirements.

Microsoft SSPA launched the updated version of the SSPA Program Guide and the related Data Protection Requirements (DPR) on 19 August 2022.

We have collected the major changes in version 8 of these core SSPA documents to help Microsoft suppliers prepare for their next annual SSPA cycle.

Program Guide

The version 8 Program Guide includes some updates and clarifications for the Independent Assessment, Sub processors and Software as a Service (SaaS).
The sensitive data classification was expanded to include children’s data due to a new law in China (PIPL).

The term "data breach" in Section I (Monitoring and Enforcement) has been moderated to the term "incident". The requirements to submit Payment Card Industry (PCI) certification for suppliers that process payment cards on behalf of Microsoft and the requirement to submit an ISO27001 for suppliers that provide Software as a Service (SaaS) and are contractually obligated to provide this document, are now separated from the DPR Self-Attestation as two standalone tasks.


The structure and Sections remained, however, the DPR shrunk from 53 to 50 requirements.

5 requirements were removed (#11,12,32,51,52), 4 clarified with minor but helpful modifications, and 2 new ones were added to include requirements of new regulatory laws (#2,11).

Let us highlight the newly added and the updated requirements to help you prepare.

The SSPA has included a new Sub processor requirement. This would only apply to a supplier if Microsoft has previously designated them as a Sub processor. In cases, where Microsoft confirms that the supplier’s engagements fulfill a Sub processor role, they will need to have applicable data protection agreements in place with Microsoft, such as Standard Contractual Clauses, Online Customer Data Addendum, and/or Supplier and Partner Professional Services Data Processing Addendum. 

Suppliers collecting children's data must be prepared for this new requirement. The SSPA expanded the sensitive data classification to include children’s data due to a new law in China (PIPL). Where applicable, suppliers must obtain the appropriate parental/guardian consent before collecting data from children.

#7 > #8:

This requirement applies to suppliers that create and manage Microsoft websites and/or applications or sites that carry Microsoft branding and relates to the use of cookies. The expiration period for persistent cookies is now reduced to no more than 13 months, from no more than 2 years in the previous DPR version.

#10 > #28

This requirement applies to suppliers who collect Personal Data from third parties on behalf of Microsoft and was included in Section D (Collection) in the previous DPR version. You will now find it in Section G (Subcontractors).

#23 > #22

Per the new DPR suppliers need to notify Microsoft prior to subcontracting services or making changes to their subcontractor portfolio. This is an ease to the previous version that required suppliers to receive Microsoft's written consent prior to subcontracting data processing services.

#38 > #37

This is a security item setting out requirements related to access rights management. Microsoft kept most of the requirement as is but removed the password reset timeframe prescribing a password reset period of no longer than 70 days.

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?