There is no doubt that data privacy is a hot topic in boardrooms and courtrooms across the U.S. and globally. With the privacy landscape evolving quickly and heavily publicized breaches, many businesses now see that the collection and processing of personal data are more closely governed. However, with so much attention being directed to regulatory compliance, it can be easy to lose sight of other mechanisms that create privacy obligations for companies, contracts being chief among them.
Microsoft’s Contractual Requirements for its Suppliers
Whether you’ve been a Microsoft supplier for years or just signed your first contract, you may not be aware that Microsoft has established the Microsoft Supplier Data Protection Requirements (DPR). The DPR require Microsoft suppliers to comply with the various regulatory frameworks governing data privacy (including the EU-US Privacy Shield and the GDPR), as well as any standard contractual terms or binding corporate rules adopted or agreed to by Microsoft.
The DPR also set out specific requirements relating to the collection and management of personal and confidential data in performing services for Microsoft. These requirements generally reflect industry best practices for handling personal data and are divided into the following categories:
- Management – Addresses the general management of contracts and data associated with the supplier’s work for Microsoft.
- Notice – Addresses the use of Privacy Statements and notice to consumers of the data being collected.
- Collection – Addresses why and what kind of data is being collected (i.e. personal, confidential, sensitive).
- Retention – Addresses how long the supplier retains data and timing and mechanism for deletion.
- Data Subjects – Addresses the rights of data subjects and responses to requests from data subjects.
- Disclosure to Third Parties – Addresses requirements for sharing data with supplier’s subcontractors.
- Quality – Addresses the integrity and accuracy of data collected by the supplier.
- Monitoring and Enforcement – Addresses incident response and remediation requirements.
- Security – Addresses requirements for securing and protecting personal and confidential data.
The GDPR and Microsoft’s DPR Requirements
Business owners should be careful not to assume that their company is in compliance with Microsoft’s DPR, even if the company has already taken steps to comply with the GDPR or other privacy frameworks. For instance, the security requirements provided in the DPR are more specific than what we see in the GDPR. While the GDPR recommends encryption and pseudonymization as means of protecting personal data, Microsoft’s DPR mandates it for the protection of both personal data and confidential data. Additionally, the DPR requires the supplier to notify Microsoft in specific circumstances, including when the supplier cannot meet its obligations under the DPR or is aware of a data breach or security vulnerability related to it’s handling of personal or confidential data for Microsoft. These are just a couple of ways in which the DPR differ from the data privacy regulatory frameworks with which we are familiar.
How to Ensure Compliance
Failure to comply with Microsoft’s DPR (or any contractual privacy obligations, for that matter) can result in breach of contract claims and could result in damages, including regulatory fines passed on to the supplier, contract damages, and legal fees. The best way to ensure your company is compliant with its data privacy obligations is to review your existing policies and procedures in light of these contractual and regulatory obligations and to do so under attorney-client privilege, where possible. Additionally, Microsoft retains the right to update the DPR and suppliers should monitor for these updates and be prepared to make changes to their data privacy programs accordingly.
If you are a Microsoft supplier and are unsure if or how the DPR apply to your company, get in touch with one of our attorneys who can help you navigate your contracts and the associated privacy responsibilities.