Article

The Importance of your Data Processing Profile accuracy

Show me your Data Processing Profile and I will tell you what services you provide for Microsoft.

While this may indeed be a bit of an overstatement, but surely your Data Processing Profile (DPP) in the Supplier Security and Privacy Assurance (SSPA) Program should reflect your services for Microsoft. And more importantly, an accurately completed DPP is an investment that can save you time and resources upon completing your SSPA requirements.

This article will give you practical guidance on how to select a Data Processing Profile in line with the services you wish to be eligible to provide in your Microsoft engagements.

The Good to know sections will answer some of the most frequently asked questions we meet. Do not miss out those!

In the SSPA Program, you as a Microsoft Supplier drive your own destiny. And it all comes down to your SSPA Data Processing Profile accuracy.

Before you start

If you are a Microsoft Supplier processing Personal Data and/or Microsoft Confidential Data under the terms of your contract, your Microsoft business owner(s) will initiate your company's enrollment in the SSPA Program, and you will need to complete your SSPA requirements in the Microsoft Supplier Compliance Portal (MSCP). The MSCP is an online tool used by the SSPA Team to co-ordinate Suppliers’ compliance activities.

It is crucial that your DPP responses in the MSCP reflect the service(s) you wish to be eligible for Microsoft because:

An accurate DPP is key for you to achieve the required Data Processing Approvals and allow your Microsoft Business Owner to open Purchase Orders with your company. If you have insufficient Approvals, Purchase Orders may be delayed and new business with Microsoft may be held up.
Your DPP will determine the number of Data Protection Requirements (DPR) you will need to self-attest to,
Your DPP will determine whether compliance activities other than the Self-Attestation will be required (e.g. an Independent Assessment).

Your Data Processing Profile and Approvals

You can save time and resources if you are thoughtful upon completing your DPP.

First, you will need to consider the complete set of the services you wish to provide for Microsoft and decide what Approvals to aim for. Please note, while the below is meant to help you make your selections, we highly recommend that you review definitions in the DPR and the SSPA Program Guide, both downloadable from the SSPA website.

In this category you will need to consider the types of data your contracted services will involve and select one of the below Approvals:

Processing of only Microsoft Confidential Data
Processing of Personal Data and Microsoft Confidential Data

You will need to select one of these two options:

At Microsoft or Customer
At Supplier, i.e. in an environment managed by the Supplier'

At Supplier' is the wider scope and will entail more requirements than 'At Microsoft or Customer' but will also allow you to participate in a wider range of services.

Select the first one if you Process ALL data within the Microsoft network environment where your staff use @microsoft.com credentials or provide services within the environment of a Microsoft customer. Suppliers providing temporary or outsourced staff for working in the Microsoft environment typically select 'at Microsoft'. However, if ANY data is processed outside the Microsoft network environment, even if just temporarily, 'at supplier' is the accurate choice.

The below Personal Data Processing designations apply to suppliers processing Microsoft “Personal and Confidential” data.

Controller
Processor - most supplier engagements
Sub processor - this designation will be posted by Microsoft in cases where Microsoft is a Processor, and your company would Process qualifying Enterprise Personal Datatypes as a sub processor.

This Approval is needed if you wish to engage in payment card processing engagements.

If you provide service that fall under one of these categories, this Approval is required.

You will need to have this Approval, if you wish to use Subcontractors, where your subcontractors will Process Personal or Microsoft Confidential data.

All in all, obtaining the right approvals is crucial to smooth operation with Microsoft.

Our SSPA Assessment Team is here to help you confirm your Profile accuracy and prepare a plan for your Independent Assessment. Please contact us at cesspahelp@deloittece.com.

Contact us!

Zoltán Szöllősi

Partner

zszollosi@deloittece.com

Zoltán is a Partner responsible for leading the IT Risk & Control service line at Deloitte Hungary. He has been performing and managing advisory projects for over 19 years, in various sectors with fin... More

... More

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Audit & Assurance

Consulting

Risk Advisory

Financial Advisory

Legal

Tax

Consumer

Energy, Resources & Industrials

Financial Services

Government & Public Services

Life Sciences & Health Care

Technology, Media & Telecommunications

Shared Service Center

All Industries and Sectors

Career at Deloitte

Fresh graduates and students

Experienced applicants

Life at Deloitte

Diversity and Inclusion

Interview tips

We make an impact that matters

Pros of working at Deloitte

The Importance of your Data Processing Profile accuracy

Before you start

Your Data Processing Profile and Approvals

Contact us!

Zoltán Szöllősi

Partner

Recommendations

All about your SSPA cycle’s timeline

SSPA Compliance and the SSPA Independent Assessment requirement