Nov 2, 2021
5 min read

Privacy and SOC 2

Learn the 8 privacy principles you need to have in place in your company to be SOC 2 compliant for data privacy.

With privacy taking the headlines for legislative developments in California, fines in Europe and the growing interest in privacy among consumers it is only fair that the AICPA has included privacy as one of its criteria for SOC 2.

Generally, the privacy criterion is defined as “Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives”. Note that the scope of this criterion relates only to personal information and not information in general.

If you want a full description of what this means, you can read the original SOC 2 Trust Services Criteria document and the Generally Accepted Privacy Principles developed by the Privacy Task Force organized the American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA). 

In short, the CPA firm will check your compliance with 8 principles:

Notice

You should be transparent with your customers about your privacy practices. 

In most cases this means that you should engage qualified legal counsel to draft a privacy notice covering at least:

  • The purpose of processing
  • Choice and consent
  • Type of personal information collected
  • Methods of collection
  • Your practices relating to use, retention, and disposal of data
  • Availability of data for access by your customers
  • To whom you disclose the data and to what extent
  • Your security practices
  • How you ensure that the data is accurate, complete and relevant
  • How you monitor compliance with your policy

You will notice that most of these sections reiterate the principles below. This is not a mistake — the privacy notice is a public promise to your users and is a representation of the state of your internal compliance practices.

Choice and consent

Whenever your organization obtains explicit or implicit consent from its users, you should be clear as to (1) available choices; (2) what the consequences are for denying or withdrawing consent. Use of information is limited to the intended purpose, unless your customer has provided consent to processing for a new purpose.

In practice, this means that your frontend should make it clear what choices a user has. Some do it in their privacy notice — which is totally fine — but the current trend is to provide just-in-time, contextually relevant notices through pop-ups. Internally, you should always keep track that the information collected for one purpose is not accidentally used for another without proper notice and consent from the user.

Collection

This principle requires you to collect data from lawful sources while ensuring the accuracy of data obtained. You should also collect only the data necessary for the stated objectives. Doing otherwise subjects your customers to unnecessary dangers of leaks of information that was collected “just in case”.

Practically speaking, you should regularly audit your data acquisition practices so that you do not collect excessive scopes of data and that your suppliers are collecting data in a sustainable way.

Use, retention, and disposal

It has been a long-standing norm in cybersecurity to keep data only for the amount of time necessary to achieve the stated purpose. This principle has been adopted by privacy advocates as well. 

In addition, you should prevent “purpose spillover” where data collected for one purpose is used for another. 

Finally, you should keep track of data deletion requests and honor them.

Consequently, you should ensure you have proper access control systems and deletion procedures — either voluntarily when the data is no longer needed or upon a data subject’s (customer/employee/etc.) request.

Access

The data subject should be properly authenticated in order to access the relevant records. If access is denied, the data subject should be informed of this. This ensures that the data subject stays in control and has full understanding of the scope of information processed. Furthermore, the data subject should be given the ability to correct the relevant data if it is erroneous or outdated.

This means that you will have to develop internal user authentication procedures for requests as well as provide a convenient way to send access and correction requests to you.

Disclosure and notification

Probably the most extensive of the principles. It limits and provides safeguards to sharing information across businesses. 

It states that data may be shared outside of your company only subject to consent of your customers. Furthermore, the recipient should be subject to a data transfer agreement that provides assurances from the recipient that it will ensure the proper level of protection and will handle the data consistently with the donor’s privacy notice or instructions and requirements.

In case of breach, the entity shall provide notices to all those whose data has been exposed, in addition to regulators and other stakeholders.

Consequently, in order to comply, you should always conclude data-transfer agreements when sharing your data. Furthermore, you should have a data-breach response policy which includes proper notification procedures.

Quality

To ensure data quality is to maintain an up-to-date and complete set of data relating to the people you hold data on. This principle has to be balanced against other privacy interests because the people whose data you hold may want to keep some of it private. For example, it would not make sense for a web forum to constantly ask its users to send pictures of their ID to make sure that their last name has not changed since signing up for the service.

This means that you have to assess the risks that may materialize if you got the data wrong. Where the risk merits so, develop procedures to re-verify the data submitted.

Monitoring and enforcement

All of the above is useless if the company does not commit itself to keeping tabs on its promises and procedures. 

Therefore, you should have periodic internal compliance audits as to whether the other 7 principles are complied with. Additionally, your organization should be able to handle data subject requests, queries, and disputes.

All in all, the SOC2 Privacy criterion can serve as a nation-wide baseline of privacy compliance in the absence of federal legislation. 

Indeed, it is a point of agreement between major businesses that SOC 2 stands on par with ISO and NIST compliance frameworks. For example, Facebook regularly audits its clients as to data protection compliance and SOC 2 is a quick way to respond to its concerns. It is also an approximation to the European GDPR, meaning you will not have to rebuild your system from scratch if you decide to expand into European markets.

Author
Oleg
Oleg is an expert with more than 6 years of experience in privacy and data protection. Certified CIPP/E and CIPM by IAPP. Currently a DPO of a giant e-commerce marketplace with 400M+ users.

Receive helpful tips, practical content, and updates

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.