The SOC 2 Privacy criteria is one of the AICPA’s five Trust Services Criteria that may be included in a System and Organization Control (SOC) report that a service organization provides to its user entities. On the other hand, the General Data Protection Regulation (GDPR) is an enforceable legislative act in place to protect the personal data of citizens across all the European Union member states. Both have similarities and differences that will be discussed in this article.
What is SOC 2 Privacy?
In a SOC 2 privacy audit, the criteria apply to personal data, notably personally identifiable information (PII), such as health records, social security numbers, addresses, credit card information, etc. The SOC 2 privacy criteria is applicable when the service organization interacts directly with the data subject, or collects, transmits, uses, or stores personal data.
A SOC 2 examination that incorporates the trust services privacy criteria will include the processes and controls that the service organization has in place to meet their privacy commitments and system requirements to its user entities.
The privacy criteria are comprised of eight categories that make up its requirements. It encompasses the service organization’s privacy notice and the choices the data subject has over the use and disclosure of their personal information. It also addresses the individual’s right to access their personal information for review and update, as well as incorporating the service organization’s mechanisms in place to track and resolve inquiries, complaints, and disputes.
What is GDPR?
The General Data Protection Regulation (GDPR) took effect on May 25, 2018, by the European Union (EU) to protect the privacy of the personal information of the citizens within its member states. Any organization within or outside of the EU that collects, uses, processes, shares, or stores personal data of EU citizens must comply with GDPR or be subject to sanctions and fines that may be imposed.
The GDPR regulation, encompassing 11 chapters and 99 articles, gives individuals greater control over their personal information. Personal data includes name, photo, social media posts, email address, IP address, medical history, etc. Individuals have the right to be informed about, access, correct, dispute, or erase their personal data.
Under GDPR, controllers and processors of personal data are required to implement data security measures, maintain security over data processing, and provide breach notification to authorities and data subjects in a timely manner.
Examples of SOC 2 Privacy and GDPR Similarities
The SOC 2 Privacy criteria and GDPR have many similarities. Both are geared toward protecting the personal information of the data subject.
The SOC 2 Privacy criteria requires the data subject to provide consent regarding the collection, use, retention, disclosure, and disposal of their personal information by the service organization. Likewise, GDPR requires that consent by the data subject must be obtained for the collection of their personal data and particularly when their personal data is being processed beyond the original purpose. If the data subject’s personal data is being processed beyond the original purpose, the organization must obtain consent from the data subject.
The personal data collected should be limited to information needed to meet the objectives of the organization, and consistent with the organization’s privacy commitments and system requirements under the SOC 2 Privacy criteria. Data collected from third parties should be evaluated to ensure its reliability and that it was lawfully collected. For GDPR, organizations should only collect and process the minimal amount of data required to achieve their purpose.
Under the SOC 2 Privacy criteria, the organization validates the quality of the data subject’s information by allowing the data subject the ability to update their data as necessary, and by performing adequate due diligence on data gathered from third parties. Likewise, GDPR, requires that every reasonable step must be taken by the organization to ensure the accuracy of the personal data, or take steps to erase or correct it. Data subjects have the right to have the organization correct inaccurate personal data.
Personal information should not be held any longer than it is needed to meet the organization’s objective under the SOC 2 Privacy criteria. Similarly, under GDPR, organizations are required to delete personal data when it is no longer needed. Both require that personal data must be securely disposed.
The SOC 2 Privacy criteria and GDPR both require that personal data be appropriately secured to ensure the integrity and confidentiality of the data. This may include encrypting and/or anonymizing the data.
Should a data breach occur compromising the data subject’s personal data, the SOC 2 Privacy criteria and GDPR require notification be made to the appropriate authorities and the data subject within a timely manner.
Examples of SOC 2 Privacy and GDPR Differences
The SOC 2 Privacy criteria and GDPR have many differences.
GDPR is legally enforceable and extends to all organizations anywhere in the world that handle, store or process the personal data of EU citizens. Whereas, compliance with the SOC 2 Privacy criteria is not legally enforceable and is primarily recognized in the United States.
Under the GDPR, the concept of the data subject’s “right to be forgotten” was introduced, subject to interpretation. If the data subject revokes their consent to the organization to process their data and requests the organization to erase and stop distributing their personal data, the organization must comply and purge the data. This extends to the organization’s third parties to whom information was disclosed and requires the organization to take appropriate steps to notify such third parties to erase the subject’s personal data from their systems.
While the SOC 2 Privacy criteria is an elective assessment, non-compliance may lead to a qualified report and loss of trust by user entities and other readers of the report. Under GDPR, the roles and responsibilities of the data controllers and data processors are defined, and they may be held liable for failing to properly secure personal data and for failure to comply with the regulations. Sanctions and/or fines may be imposed upon any non-compliant organization inside or outside the EU up to $20 million EUR or 4% of the annual global turnover whichever is greater.
Large organizations that perform significant processing of personal data may require a Data Protection Officer under GDPR. This individual’s role and responsibility would be to advise the organization about compliance with GDPR rules. This is not a requirement under the SOC 2 Privacy criteria.
Under GDPR, an organization must consider privacy guidelines and best practices at the onset of projects that may impact personal information held or processed. The GDPR’s privacy-by-design standard ensures that privacy is at the forefront rather than an afterthought. This is not called out under the SOC 2 Privacy criteria.
The GDPR is far reaching and very detailed regarding the specific practices organizations need to have in place to ensure compliance. Being in compliance with the SOC 2 Privacy criteria may get an organization much of the way toward compliance with GDPR.
The examples highlight similarities and differences between the SOC 2 Privacy criteria and GDPR but are not a comprehensive list. Protection of personal data is paramount to ensure that data privacy is maintained, and to demonstrate compliance with data protection regulations.
Data privacy and regulations to protect personal information and the rights of individuals to their personal data are likely to become stronger and more complex over time. Following in the footsteps of GDPR, the California Consumer Privacy Act (CCPA) effective January 1, 2020, enacts the most stringent data privacy regulations thus far in the United States. More states are likely to follow.
Not getting on board with data privacy and the rights of data subjects may result in fines, class-action lawsuits, revenue loss, as well as damage to brand and reputation. Data privacy and laws to protect the personal information of data subjects are here to stay.
Becky McCarty (CPA, CISA, CRISC, CIA, CFE) specializes in SOC 1 and SOC 2 examinations for Linford & Co., LLP. She completed her Master’s degree in Information Systems in 1996, started working with KPMG in 1999, and joined Linford & Co., LLP in 2018. She works closely with clients so that the examinations are performed efficiently and with minimal disruption while ensuring performance in accordance with professional guidance. She enjoys helping clients successfully achieve the requirements for their SOC audit reports based on their applicable trust services criteria.