6 Microsoft SSPA Compliance Considerations for Third-Party Service Providers

Many businesses that supplement Microsoft suppliers are in the enviable position of seeing an increased demand for their services. But as focus on data privacy regulations grows, these third-party service providers may find that closing deals hinges on displaying risk controls never asked of them before.

A prime example of this is Microsoft’s Supplier Security and Privacy Assurance (SSPA) program, where third-party service providers, who aren’t directly contracted with Microsoft, still must display SSPA-compliant data privacy and security controls to their partner if they will handle personal or confidential Microsoft data. This is because that Microsoft partner carries all the liability for any mishandled data.

Prospective service providers that support Microsoft suppliers should consider a few key items — including the six service provider expectations for SSPA compliance outlined below — to help Microsoft suppliers achieve Microsoft’s coveted SSPA “Green” status and open up the further business opportunities that status entails.

How to Become a Data Steward

Data protection regulations aren’t going away; in fact, they’re only expanding. (We’ve written before about how the SSPA guidelines can be an effective guide to building a privacy program that meets the most stringent regulations.)

As a third-party service provider, understanding your relationship to the direct supplier, and their regulations, can clarify the requirements on your end. When executing a contract with Microsoft, suppliers need to display adherence to that corporation’s data protection requirements (DPR) relevant to the data they can access, and, in effect, what they give you access to.

You stand to be a more effective and efficient business partner if you have a clear understanding of how your contracted services relate to the SSPA requirements. If the services you offer a Microsoft supplier fall into any of the following service categories (these are defined by the DPR), your access to customer data will depend on relevant practices, the nature of the business and the services you provide:

• Supporting key infrastructure, such as network and data storage
• Handling implementation and maintenance, as well as infrastructure and applications (e.g., cloud computing, infrastructure and SaaS)
• Aiding infrastructure and managed applications, as well as the disaster recovery aspects of infrastructure and applications (e.g., backup and recovery site)

Microsoft Suppliers Expectations for SSPA Compliance

As a third-party service provider to a Microsoft supplier, if your organization falls within the above categories, you should have a process to evaluate your internal security, privacy and confidentiality practices as they relate to your relevant third-party services. This allows you to answer questions that would satisfy the same obligations Microsoft suppliers must satisfy for potential customers.

You should be able to answer the following:

1. Do you interact with the customer’s personal data? How?
   Your organization may need to perform a quick inventory to establish the data you collect, store and/or transmit.
2. Do you store customer data? Do you use cloud services? Is data transmitted using proper encryption?
   Answers to these questions will identify existing controls and possible gaps.
3. Does your organization use a standard agreement with customers?
   An effective agreement should lay out the provisions around processing, security and retention practices. Your customer contracts should define all parties’ roles in processing and expectations in responding to data subject access requests. Additionally, they should explain privacy and security requirements to ensure customers’ compliance. The contract should also:
   1. Include policies for document storage, retention and disposal
   2. Define data management processes, procedures and standards for handling customer data
   3. Address the customer’s privacy and security programs
   4. Include staff privacy and security training
   5. Lay out the customer’s responsibilities for ensuring compliance and allocation
   6. Include right-to-audit clauses
   7. Capture an escalation path for reporting privacy or security concerns or issues
4. Have you developed a profile of all your customers?
   Make sure your inventory gives sufficient information about each customer’s processing.
5. Are there ongoing monitoring processes?
   Create a procedure to review the compliance of your processing activities on an ongoing basis.
6. Do you have data security and controls?
   As with any organization, you should assess the strength of your internal controls to protect the confidentiality, integrity and availability of data.

Benefits of a Compliant Data Privacy Program

Today’s service environment includes a litany of outsourced services that support critical systems, and organizations are increasingly recognizing that privacy can drive business growth. Creating the right balance between privacy and other competing interests minimizes the chances of intrusions, maximizes fairness and fosters legitimate enforceable privacy expectations.

Companies want their employees, customers and partners to see they’re transparent when it comes to data privacy and security. Third-party service providers can play a critical role in assuring the appropriate management of privacy and security risks.

The changing expectations and rules for handling data underscore the need for all parties to carefully perform a due diligence review of current practices to protect and secure customer data, to pinpoint the gaps, and to use a risk-based approach to remediate the issues. Failing to accurately assess and address risks inherent within the service ecosystem can be costly if ineffective controls are in place to lock down your personal data holdings. Your organization, and your partners, risk reputational damage and civil penalties if data gets into the wrong hands.

Are You Confident in Your SSPA Compliance?

Changing requirements for third-party service providers reflect the ever-increasing cyberthreats of a rapidly evolving digital world that brings opportunity as well as risk. Contact Armanino’s Cybersecurity experts to get clarity on SSPA and other data privacy compliance requirements.