The SOC 2 Privacy Audit

The Privacy Times. Privacy is a daily news topic with staying power as strong as we have ever seen it. Searching for the word “privacy” on any reputable news site will generate articles containing the day’s wide-ranging contributors—from Germany’s data protection authority ordering Google to change its data collection practices; to continued criticism of the U.S. government for its surveillance practices a la the NSA, drones, and dirtboxes; to U.S. Senators questioning ridesharing companies about information sharing practices. The list is long and growing every day. A lot of the privacy discussion is about basic human rights and is, therefore, in the domain of lawmakers, lawyers, and the media. However, business organizations may be impacted if their practices include the collection, use, retention, disclosure, and disposal of personally identifiable information (PII) and, of course, if and when a privacy breach occurs.

Should Your Organization Get a Privacy Audit? Privacy audits do not occur often because most of the time a security audit is all that is needed. Most of our audit clients are service organizations that have custody of their customers’ data and are expected to properly secure it from unauthorized disclosure; thus, a security audit may be warranted to demonstrate good security practices. It is necessary to demonstrate good privacy practices when a service organization’s personnel interactdirectly with the individuals or “data subjects” themselves, whose personal information they possess on behalf of their clients. This is key because a great deal of privacy compliance involves interacting directly with data subjects—not interacting with data subjects means non-applicability of many privacy requirements.

The SOC 2 Privacy Audit. Assuming an organization’s personnel do interact with data subjects—the customers of a potential new client—and a potential prospect requiresindependent assurance that the organization’s personnel adhere to good privacy and data protection practices, then the organization may want to consider getting a service organization control (SOC) 2 Privacy audit. The SOC 2 Privacy audit report includes a CPA firm’s opinion as to an organization’s compliance with the Trust Services Principles and Criteria on Privacy, as well as representations made in the organization’s published privacy policy or notice. SOC audits can be as of a specific point in time or can cover a period of time of at least six months. Common practice is to start with a point-in-time audit and convert to covering an annual period thereafter.

In our experience, new clients are rarely ready for a SOC 2 Privacy audit. The following are the top challenges that clients face on the road to a clean SOC 2 Privacy audit opinion.


The Top 5 Challenges of the SOC 2 Privacy Audit
Privacy PolicyThe Privacy Policy is an internal policy and procedure document that most organizations have not formalized. Creating and implementing the privacy policy will take some time. A compliant Privacy Policy must contain content dictated by each of the ten AICPA generally accepted privacy principles (GAPP): 1) Management; 2) Notice; 3) Choice and Consent; 4) Collection; 5) Use, Retention, and Disposal; 6) Access; 7) Disclosure to Third Parties; 8) Security for Privacy; 9) Quality; and, 10) Monitoring and Enforcement.
Privacy NoticeThe Privacy Notice is is an externaldocument that is most often posted on websites. When publicized, it is often called the Privacy Policy, which leads to some confusion with the aforementioned internalPrivacy Policy. Creating this document will also take some time and it also must contain content dictated by nine of the GAPP areas (2 through 10). The Privacy Notice must be provided to individuals at or before the time their personal information is collected, or as soon as practical thereafter.
Risk AssessmentThe SOC 2 Privacy criteria require that a risk assessment process be used to establish a risk baseline, to identify—at least annually—new or changed risks to personal information, and to develop and update responses to such risks. The challenge is in the formalizing of the risk assessment to demonstrate it has been done. This requires creating a PII inventory and then documenting the assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the PII in the inventory, whether in physical or electronic form.
Retention PracticesJust like people, organizations collect and collect and collect and have a great deal of difficulty getting rid of data. However, the SOC 2 Privacy criteria require that personal information be retained for no longer than necessary to fulfill the stated purposes. By implication, there is an expectation that an organization must establish a formal retention policy for PII and then eliminate PII that should not be retained under the policy. Breaking up is hard to do, but it will dramatically reduce risk to part with old, unneeded PII.
Monitoring & EnforcementThere are two challenges that emanate from the SOC 2 Privacy criteria concerning Monitoring and Enforcement. First, establishing a process to address inquiries, complaints, and disputes. To be compliant, an organization must document, respond to, and resolve complaints in a timely manner. Second, monitoring the effectiveness of controls over personal information, based on a risk assessment, and for taking timely corrective actions where necessary. This was covered in a recent blog post.

Leave a Reply

Your email address will not be published. Required fields are marked *