SOC reports for Privacy
SOC 2 reports for Privacy
Privacy has grabbed the attention of Boards of Directors as regions look to implement privacy regulation and compliance standards similar to GDPR. Privacy is the new buzzword and the potential impact is very real. Personal data is processed for political and economic reasons without users’ consent, as happened in the Cambridge Analytica. In view of the recent incidents privacy laws are changing and going forward they may become more stringent. It may be prudent for organizations to be more proactive and adopt measures for Privacy Governance.
THE SOC 2 PRIVACY CRITERIA
To demonstrate the privacy-related controls, Organizations can include the privacy criteria as part of the scope of their SOC 2 report. Additionally, controls for any other specific laws too can be included as Additional Subject Matter. The AICPA Privacy Criteria broad requirements are described in the following paragraphs. Many of these requirements match the legislation like EU-GDPR. In the wake of such new privacy, mandates organizations are encouraged not only include the privacy criteria in their SOC 2 report but also to demand including them in their vendors' SOC 2 report.
SOC 2 DESCRIPTION FOR PRIVACY
When making such disclosures, it may also be helpful to report users if service organization management describes the purposes, uses, and disclosures of personal information permitted by user entity agreements.