The Schellman Blog

Microsoft recently provided a pre-release of v12 of their Data Protection Requirements (DPR) for suppliers required to undergo an annual security and privacy assessment through Microsoft’s Supplier Security and Privacy Assurance (SSPA) program. Microsoft DPR v12 is scheduled to refresh March 30, 2026, and features a total of 63 requirements. Notably, this is a reduced number of controls compared to v11, which featured a total of 67 requirements.

As organizations expand their digital footprints and adopt AI at scale, global privacy expectations are rising worldwide. At the same time, cyber threats are growing more sophisticated, further driving the need for more advanced, resilient privacy programs to meet both regulatory and security demands.

ISO 27701 is a globally recognized standard for establishing a privacy information management system (PIMS), outlining the requirements and supporting controls that should be fulfilled and implemented. Compliance with ISO 27701 indicates that an organization has implemented a system to manage risks related to data privacy and the processing of personally identifiable information (PII).

Many suppliers working with Microsoft are now required to complete the Microsoft Supplier Data Protection Requirements (MSDPR) Independent Assessment each year to maintain Supplier Security and Privacy Assurance (SSPA) compliance. In practice, we continue to see organizations misinformed about what’s actually required, which often leads to unnecessary costs, re-tests, or delays.

The California Consumer Privacy Act (CCPA) is reminiscent of Michael Meyers, Freddie Krueger, or Ghostface in that no matter how many times you think its presence is done, it keeps coming back with more. While privacy professionals have been tracking the slow rulemaking process for some time, the newly approved regulations may have startled others, fittingly just in time for spooky season.

In groundbreaking news, it was announced at the CBPR Forum held in Singapore this week that the Global CBPR System will officially go live on June 2nd, 2025.

In today’s complex and constantly evolving regulatory environment, businesses face an ever-growing array of compliance requirements across multiple frameworks ranging from FedRAMP, PCI, ISO, GDPR, and HIPAA, to name a few. Navigating these compliance waters is increasingly challenging, particularly with regards to cybersecurity and data protection. However, there are measures you can take to significantly refine your compliance processes. In this article, we will explore how streamlining all of your compliance efforts with a single trusted provider can not only simplify your processes but also enhance your overall security posture.

Microsoft recently released v11 of their Data Protection Requirements (DPR) for suppliers required to undergo an annual security and privacy assessment through Microsoft’s Supplier Security and Privacy Assurance (SSPA) program. Microsoft DPR v11 went into effect April 2025 and features a total of 67 requirements.