Should Your Organization Get a Privacy Audit? Privacy audits do not occur often because most of the time a security audit is all that is needed. Most of our audit clients are service organizations that have custody of their customers’ data and are expected to properly secure it from unauthorized disclosure; thus, a security audit may be warranted to demonstrate good security practices. It is necessary to demonstrate good privacy practices when a service organization’s personnel interactdirectly with the individuals or “data subjects” themselves, whose personal information they possess on behalf of their clients. This is key because a great deal of privacy compliance involves interacting directly with data subjects—not interacting with data subjects means non-applicability of many privacy requirements.
In our experience, new clients are rarely ready for a SOC 2 Privacy audit. The following are the top challenges that clients face on the road to a clean SOC 2 Privacy audit opinion.
|The Top 5 Challenges of the SOC 2 Privacy Audit|
|Risk Assessment||The SOC 2 Privacy criteria require that a risk assessment process be used to establish a risk baseline, to identify—at least annually—new or changed risks to personal information, and to develop and update responses to such risks. The challenge is in the formalizing of the risk assessment to demonstrate it has been done. This requires creating a PII inventory and then documenting the assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the PII in the inventory, whether in physical or electronic form.|
|Retention Practices||Just like people, organizations collect and collect and collect and have a great deal of difficulty getting rid of data. However, the SOC 2 Privacy criteria require that personal information be retained for no longer than necessary to fulfill the stated purposes. By implication, there is an expectation that an organization must establish a formal retention policy for PII and then eliminate PII that should not be retained under the policy. Breaking up is hard to do, but it will dramatically reduce risk to part with old, unneeded PII.|
|Monitoring & Enforcement||There are two challenges that emanate from the SOC 2 Privacy criteria concerning Monitoring and Enforcement. First, establishing a process to address inquiries, complaints, and disputes. To be compliant, an organization must document, respond to, and resolve complaints in a timely manner. Second, monitoring the effectiveness of controls over personal information, based on a risk assessment, and for taking timely corrective actions where necessary. This was covered in a recent blog post.|