Reducing Privacy Risk with SOC 2®

Privacy compliance is centered on controlling the use of PII (Personal Identifiable Information) from your customers, clients, and, in some cases, employees. The definition of PII varies but is generally information that identifies or is reasonably capable of being associated with a person. Privacy laws typically define:

allowed purposes for collecting, using, or sharing PII.
disclosure requirements.
consent requirements.
individuals’ rights to access, delete, or correct their PII.
and the penalties for violations.

About SOC 2®

The System and Organization Controls (SOC) 2 attestation audit assesses the controls, processes, and procedures a business uses to protect sensitive data and critical systems and services. The audit may cover up to five trust service criteria (TSCs): security, availability, confidentiality, integrity, and privacy. The security criteria, which must be included in every SOC 2® Attestation evaluates basic security and operational controls. This includes access control, risk assessment, and change management policies, as well as technical controls such as encryption, access control, authentication, and data loss prevention.

Privacy TSC within SOC 2®

Although security is important, it is only one of many requirements in privacy laws. The SOC 2® Privacy trust service criteria covers the rest. SOC 2® Privacy Attestation audits organizations on the disclosure of and obtaining consent for collection of PII, how access to PII is controlled, and how policies regarding the use, retention, and disposal of PII are designed and if there are running effectively as designed. If your business is subject to GDPR, CCPA or any similar laws, a SOC 2® Attestation of security and privacy TSCs can measure your current compliance posture against the internal controls designed to ensure compliance.

Challenges in privacy and regulations

Technical measures may be more effective at preventing data breaches, but lax policies and procedures introduce significant regulatory risk. It is much easier for a regulator to check your website for a privacy policy, collection notice, and opt-out instructions than to conduct a security review of your technical controls. Policies and technical controls both play a role in GDPR compliance fines. Most fines have been for violations of the regulations regarding the lawfulness of processing and the security of processing PII. The biggest fines, however, tend to follow data breaches that expose PI. An exacerbating factor is that in the event of a breach, regulators may choose to audit or investigate the businesses security and privacy controls, and find additional violations, which could increase the fines. A SOC 2® Attestation covering both security and privacy trust criteria can significantly reduce an organization’s cybersecurity and privacy risk.

ControlCase SOC 2 Compliance Checklist
Download Now

Additional TSCs

Including the other trust service criteria in your audit will also help document your compliance structure and make sure you are protecting PI. Confidentiality requirements are like privacy requirements but typically cover specific types of personal information, such as personal health information (PHI) and personal financial information (PFI). Availability and processing integrity are concerned with the information or system being available when it is needed and whether the information has been modified or corrupted during processing. All these concerns may be required under various privacy regulations.

SOC2 and GDPR

GDPR contains many requirements that are mirrored in SOC 2® trust services criteria. For example, Article 5 of the GDPR defines principles relating to the processing of personal data, which include transparency, consent, and rights of data subjects to access, correct or request deletion of their PI, which map easily to SOC 2® privacy trust criteria such as Notice and communications, choice and consent, and access. If your organization is subject to the GDPR, you can use the GDPR requirements to frame your privacy criteria controls and use your SOC 2® attestation to provide an attestation of how your program complies against the GDPR.

Benefits of SOC 2® Attestation

By improving security controls to demonstrate stronger attestation of controls, organizations reduce the likelihood of a data breach; by improving privacy controls, they reduce their risk of fines. Data breaches can be costly on their own – IBM’s Cost of a Data Breach Report 2020 estimated that the average cost of a US data breach was more than $8.5 million. Breaches that expose PI will cost even more due to the fines allowed under the new privacy laws. Additionally, many companies are now requiring third-party vendors to provide SOC 2® reports. If your customers have not already asked for your SOC 2® report, they may well soon ask.

Streamlining SOC 2® Attestation audits with ControlCase

SOC 2® attestation may be increasingly necessary, but they do not have to be cumbersome. ControlCase’s Compliance as a Service is an efficient and cost-effective way to streamline audit cost, offload compliance monitoring responsibilities from your IT team, and reduce the likelihood that your organization will suffer data breaches or incur fines for noncompliance with privacy regulations.

We use our One AuditTM methodology to collect evidence and risk controls once, and map those controls across multiple regulations such as SOC2, GDPR, CCPA, PCI DSS, ISO 27001 and 27002, HIPAA, NIST, FEDRAMP and more.

ControlCase is not a CPA firm and cannot provide SOC 2® Attestations. We can, however, assess your organization’s readiness for a SOC 2® Attestation audit, provide guidance and automate evidence collection. We partner with select CPA firms who utilize the ControlCase platform to provide clients with SOC2 Attestation Reports.