The trust services criteria applicable to a SOC 2 privacy audit covering the privacy criteria applies only to personal information such as health records, payment card information, or other personally identifiable information (PII). This is different than for the confidentiality criteria which applies to various types of sensitive information such as customer lists, product specifications, or other proprietary information.
With a SOC 2 examination, the common criteria includes security which considers data security and authorized access to the data. Preparing for compliance with the privacy criteria considers how the organization interacts with the data subject and takes much more effort to meet the requirements than for the confidentiality criteria. If your organization does not create, collect, transmit, use, store personal information, or interact with the data subject, then compliance with the privacy criteria may not be necessary.
What is a Privacy Audit?
A privacy audit is an independent review and appraisal of an organization’s privacy and data security posture through the processes and supporting documentation that attests to their compliance with the SOC 2 privacy criteria and their own privacy notice related to the personal information under their domain. A privacy audit provides comfort over the organization’s ability to meet it’s privacy commitments and system requirements and identifies any opportunities noted for improvement.
What to Expect With a Privacy Audit?
A SOC 2 examination incorporating the Trust Services Criteria for Privacy may only be conducted by a certified public accounting (CPA) firm. Upon engagement of a CPA firm, a readiness assessment may be conducted to ensure the organization is prepared for the privacy audit and to prevent any surprises.
During the planning phase of the engagement, a request list is generally provided in advance of onsite fieldwork. The more that an organization can have the items on the request list ready for review prior to the onsite fieldwork, the more efficient the audit process will be.
Walkthroughs will be conducted to ensure that controls are designed sufficiently to meet the objectives. Testing of a sample of transactions under the controls will be performed to ensure that the controls are operating effectively.
A draft of the report will be provided to management along with any further findings and recommendations noted prior to final release of the report.
What is Included in a SOC 2 Privacy Audit Review?
The Privacy criteria incorporates the following 8 categories into its requirements:
- Notice
- Choice and Consent
- Collection
- Use, Retention, and Disposal
- Access
- Disclosure and Notification
- Quality
- Monitoring and Enforcement
Each of these eight categories will be broken out and described in more detail below for greater understanding to successfully prepare you for a SOC 2 privacy audit review.
Notice
The privacy notice encompasses the privacy practices the organization follows to meet its objectives over privacy commitments and system requirements that is communicated to data subjects. The privacy notice must be communicated to the data subjects at or before the time personal information is collected or shortly thereafter. Any changes to the privacy notice including changes in the use of personal information must be made timely by the organization to the data subjects. Privacy notices are commonly posted on an organization’s public website so that they are readily accessible by anyone at any given time.
Choice and Consent
Data subjects must be informed by the organization about the choices available to them and the consequences of each choice regarding the collection, use, retention, disclosure, and disposal of their personal information. Consent from the data subject must be obtained for the choices made regarding their personal information. The choices selected must be effectively implemented by the organization.
Collection
Only personal information required to meet the organization’s objectives should be collected by the organization that is consistent with the organization’s privacy commitments and system requirements. The organization must have a process in place to evaluate the reliability of information collected from third-party sources and to be assured that the third-party sources collected their information fairly and lawfully. The data subject must provide implicit or explicit consent and this consent must be retained by the organization when sensitive personal information is collected, used, or disclosed unless a law or regulation requires otherwise.
Use, Retention, and Disposal
The use of personal information collected by the organization should only be for the intended purposes for which it was obtained. Personal information collected should not be retained any longer than needed to fulfill the stated purpose. Retaining personal information longer than needed raises the organization’s risk for unauthorized access, unauthorized disclosure, or data breach. During the retention period, personal information must be protected from deletion, unauthorized modification, or destruction. Personal information must be securely disposed of in a manner to prevent unauthorized access or disclosure.
Access
Data subjects must be authenticated by the organization prior to giving them physical or electronic access to their personal information for review and update. If their access is denied, the reason for denial must be provided timely. Data subjects must be given the ability to update their personal information. If the update is denied, the reasons for the denial and how they may appeal must be communicated by the organization.
Disclosure and Notification
The organization may disclose personal information to third parties only with implicit or explicit consent from the data subject prior to disclosure. Personal information must be disclosed only to third parties who have agreements in place to protect the personal information consistent with the organization’s own privacy notice or other specific instructions or requirements. A record of authorized and unauthorized (including breaches) disclosures must be created and maintained completely, accurately, and timely. An incident response plan should be documented by the organization to guide employees in the procedures when reporting security failures and incidents.
Privacy commitments from vendors and other third parties must be obtained by the organization and compliance assessments should be periodically performed either by the organization itself or through a third-party auditor. Corrective action to remediate any deficiencies noted must be taken, as necessary or other remedial action taken if the third party is in breach of the agreements. Commitments must be obtained from vendors and other third parties to provide notification to the organization in the event of an unauthorized disclosure of personal information.
The organization must have a process in place as part of their incident response plan to provide notification of breaches and incidents to affected data subjects, regulators, and others as required. The organization must maintain an inventory of the personal information held and of disclosures to third parties so that it may be made available to the data subject upon request.
Quality
Personal information collected by the organization must be relevant, complete, and accurate for the purposes for which it is utilized to meet the organization’s objectives. This is accomplished by allowing the data subject the ability to update their personal information as necessary and performing adequate due diligence on third-party sources utilized.
Monitoring and Enforcement
Contact information must be provided to data subjects so that inquiries, complaints, and disputes may be communicated to the organization. The organization must have a process in place to address inquiries, complaints, and disputes in a timely manner. The effectiveness of controls over personal information and compliance with privacy objectives must be monitored by the organization and issues identified must be remediated timely. Having the ability to document and track inquiries, complaints, and disputes through to their resolution will help to achieve the criteria in this area.
Summary
Under a SOC 2 examination, the trust services criteria for privacy is only necessary if the service organization creates, collects, transmits, uses, stores personal information, or interacts with the data subject. Including the privacy criteria in your SOC 2 audit for privacy and data security provides confidence to your existing customers that their personal information is protected and provides assurance to potential customers that you have controls in place that are operating effectively to protect their personal information.
Linford and Company can assist your organization in providing a readiness assessment for implementation of the privacy criteria among other services such as SOC 1, SOC 2, FedRAMP, HITRUST, or HIPAA audits. If you would like to learn more, please contact us.
Becky McCarty has over 20 years of experience in internal controls, audit, and advisory services. She specializes in SOC 1 and SOC 2 examinations for Linford & Co., LLP. Becky completed a Bachelor’s degree in Business Administration (Accounting) and a Master of Science degree in Management Information Systems. She worked 6 years with KPMG LLP commencing in 1999, worked several years in the energy industry, and joined Linford & Co., LLP in 2018. Becky also served 9 years on the Board of Directors for a home healthcare nonprofit. She works closely with clients so that the examinations are performed efficiently and with minimal disruption while ensuring performance in accordance with professional guidance. She enjoys helping clients successfully achieve the requirements for their SOC compliance efforts based on their objectives and/or applicable trust services criteria.