With privacy taking the headlines for legislative developments in California, fines in Europe and the growing interest in privacy among consumers it is only fair that the AICPA has included privacy as one of its criteria for SOC 2.
Generally, the privacy criterion is defined as “Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives”. Note that the scope of this criterion relates only to personal information and not information in general.
If you want a full description of what this means, you can read the original SOC 2 Trust Services Criteria document and the Generally Accepted Privacy Principles developed by the Privacy Task Force organized the American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA).
In short, the CPA firm will check your compliance with 8 principles:
You should be transparent with your customers about your privacy practices.
In most cases this means that you should engage qualified legal counsel to draft a privacy notice covering at least:
You will notice that most of these sections reiterate the principles below. This is not a mistake — the privacy notice is a public promise to your users and is a representation of the state of your internal compliance practices.
Whenever your organization obtains explicit or implicit consent from its users, you should be clear as to (1) available choices; (2) what the consequences are for denying or withdrawing consent. Use of information is limited to the intended purpose, unless your customer has provided consent to processing for a new purpose.
In practice, this means that your frontend should make it clear what choices a user has. Some do it in their privacy notice — which is totally fine — but the current trend is to provide just-in-time, contextually relevant notices through pop-ups. Internally, you should always keep track that the information collected for one purpose is not accidentally used for another without proper notice and consent from the user.
This principle requires you to collect data from lawful sources while ensuring the accuracy of data obtained. You should also collect only the data necessary for the stated objectives. Doing otherwise subjects your customers to unnecessary dangers of leaks of information that was collected “just in case”.
Practically speaking, you should regularly audit your data acquisition practices so that you do not collect excessive scopes of data and that your suppliers are collecting data in a sustainable way.
It has been a long-standing norm in cybersecurity to keep data only for the amount of time necessary to achieve the stated purpose. This principle has been adopted by privacy advocates as well.
In addition, you should prevent “purpose spillover” where data collected for one purpose is used for another.
Finally, you should keep track of data deletion requests and honor them.
Consequently, you should ensure you have proper access control systems and deletion procedures — either voluntarily when the data is no longer needed or upon a data subject’s (customer/employee/etc.) request.
The data subject should be properly authenticated in order to access the relevant records. If access is denied, the data subject should be informed of this. This ensures that the data subject stays in control and has full understanding of the scope of information processed. Furthermore, the data subject should be given the ability to correct the relevant data if it is erroneous or outdated.
This means that you will have to develop internal user authentication procedures for requests as well as provide a convenient way to send access and correction requests to you.
Probably the most extensive of the principles. It limits and provides safeguards to sharing information across businesses.
It states that data may be shared outside of your company only subject to consent of your customers. Furthermore, the recipient should be subject to a data transfer agreement that provides assurances from the recipient that it will ensure the proper level of protection and will handle the data consistently with the donor’s privacy notice or instructions and requirements.
In case of breach, the entity shall provide notices to all those whose data has been exposed, in addition to regulators and other stakeholders.
Consequently, in order to comply, you should always conclude data-transfer agreements when sharing your data. Furthermore, you should have a data-breach response policy which includes proper notification procedures.
To ensure data quality is to maintain an up-to-date and complete set of data relating to the people you hold data on. This principle has to be balanced against other privacy interests because the people whose data you hold may want to keep some of it private. For example, it would not make sense for a web forum to constantly ask its users to send pictures of their ID to make sure that their last name has not changed since signing up for the service.
This means that you have to assess the risks that may materialize if you got the data wrong. Where the risk merits so, develop procedures to re-verify the data submitted.
All of the above is useless if the company does not commit itself to keeping tabs on its promises and procedures.
Therefore, you should have periodic internal compliance audits as to whether the other 7 principles are complied with. Additionally, your organization should be able to handle data subject requests, queries, and disputes.
All in all, the SOC2 Privacy criterion can serve as a nation-wide baseline of privacy compliance in the absence of federal legislation.
Indeed, it is a point of agreement between major businesses that SOC 2 stands on par with ISO and NIST compliance frameworks. For example, Facebook regularly audits its clients as to data protection compliance and SOC 2 is a quick way to respond to its concerns. It is also an approximation to the European GDPR, meaning you will not have to rebuild your system from scratch if you decide to expand into European markets.
