Should Your SOC 2 Include Privacy as a Trust Service Category?
If you’ve ever dieted before, you know the temptation to add something extra to your meal—you know, something actually tasty, or just something else that you believe will satisfy a craving.
Whether that’s always the best decision remains to be seen. After all, do you really need those sweets or that bread? Will it help you in the long run? (If you’re measuring by happiness metrics, it probably would!)
The same choice—to include or to not include—often vexes organizations preparing for a SOC 2 examination. As they select their trust service categories, we get specific questions about whether or not our clients should be tested for privacy as well.
As SOC 2 service providers since its inception, we’ve become proficient in discerning which organizations should include privacy in their SOC 2 examinations, as well as those who shouldn’t. If you’re considering whether privacy is right for you, let us help simplify that decision.
We’re going to break down this category for you completely in this article—you’ll learn what it contains and why people consider its inclusion for their SOC 2, as well as the advantages and drawbacks to doing so. All that information will clarify whether the Privacy Trust Service Category belongs on your SOC 2 plate, or if you should instead consider alternatives when it comes to that type of data compliance.
Why Should You Include Privacy in Your SOC 2 TSCs?
This is the critical question, of course. Your answer will need you to consider two important factors:
- The market: If your existing customers or prospects have demonstrated that they’d like to see a SOC 2, they likely also specified what they’d like to see in-scope regarding the categories to be included—privacy, of course, being one of those.
- Service level agreements: Almost more important than the desires of your customers is what you’ve agreed to do as per the safeguarding of personally identifiable information.
- You may be an organization that processes lots of data—perhaps even sensitive or regulated data that may or may not include the data of personally identifiable information (PII) of individuals. If you are handling PII, more than likely you’ve had to make particular statements to the marketplace indicating that you can be trusted with that type of information.
- It could be reckless to possess that kind of data without promising any assurance at all as to how you’re protecting it from unauthorized access, disclosure, or destruction.
A SOC 2 represents a great way to publicize how you safeguard the data in your charge, and the inclusion of the privacy category within yours hinges on the PII aspect. If you do manage it, then this TSC might be for you. If not, leave it off your plate.
That’s because the 18 criteria specific to the privacy category all involve what is generally referred to as the PII lifecycle—that lifecycle will include the:
- Destruction or disposal of; and
- Disclosure of PII.
Sometimes referred to as CURDD, if your organization is responsible for some or all or any aspect of any of those facets, that would deem you part of this lifecycle, making the privacy category relevant to your SOC 2.
What is Examined in the Privacy Trust Service Category?
If you’re now leaning towards including privacy, it’d help to understand what exactly will be examined as part of it. So what exactly will your assessors take a look at?
- Relevant policies and procedures: You need to maintain and have these in place regarding the overall safeguarding and management of that PII. That will likely include internal documents and certain external ones:
- Privacy Practices: This is the most common way organizations communicate their PII security measures to the outside world—including the data subjects. Also known as a privacy notice, this is often provided through the company website.
- Specific logical access and IT security: How do you actually protect personally identifiable information? These controls could include:
- Authentication and authorization mechanisms
- Detection and notification systems that alert system administrators when unauthorized access to that information has occurred
- Notification procedures in the event of unauthorized disclosure
- Monitoring controls (a requirement for compliance on an ongoing basis)
But you shouldn’t regard these things and the other criteria as a mere 18 things that need to get done. As with the other SOC 2 categories, you’ll need to go back to the specific service level agreements or commitments related to privacy that you made in your privacy notice and ensure that you have controls in place to satisfy those.
For example, if you promise that, in the event of a breach of PII, you will notify affected parties within 48 hours, that becomes a particular requirement that will be in the scope of your SOC 2 examination. If you’ve indicated that you’ll destroy or purge all PII within 60 days of account cancellation, that’s another specific commitment you’ve made that will also be included within your SOC 2 scope.
All in all, you can expect what you commit to in your privacy notice to align almost exactly with what will become part of your audit. The more you promise, the more will be evaluated.
What are the Advantages of Including the Privacy Category in Your SOC 2?
- Effective Communication of Your Safeguards: Including privacy in your SOC 2 would answer the question for your customers and other interested parties as to how you’re safeguarding particularly sensitive data.
- Opportunity for Improvement: The results of a SOC 2 with privacy will reveal to your management whether or not your controls related to PII are adequate. If not, they’d have the opportunity to revise and mature controls to protect that personally identifiable information in the ways that you should.
What are the Drawbacks of Including Privacy in Your Soc 2?
- The Number of Criteria: Aside from the Common Criteria (included in the Security category)—required in every SOC 2—which has 33 criteria, the privacy category contains the most criteria with 18. In fact, it’s more than all your other possible categories combined (Processing Integrity: 5, Availability: 3, Confidentiality: 2).
- The Amount of Work: Given that, including privacy would mean a lot of extra work. You’ll need to make sure that you have an effective privacy information management system or a privacy program in place, and that it will stand up to the rigor of an assessment like SOC 2.
- For this reason, we recommend organizations review privacy category criteria and conduct an internal assessment to determine their readiness before engaging with a third party like Schellman.
- However, we should say that if you have already completed a SOC 2 audit—particularly if you previously included any of the other categories along with Security—you likely have the infrastructure to mitigate at least some of the level of effort that adding the privacy criteria would require. (The same is true if you previously pursued another kind of privacy assessment.)
Alternatives to the Privacy Category in SOC 2
With such seemingly evenly matched pros and cons, you may still yet be on the fence about whether to include these criteria within your next SOC 2 examination. Though the privacy category would allow you to tell the story of your relevant practices, it does represent a lot of work.
But if you do handle PII and would like to provide assurances, there are also alternative paths you can take—perhaps even ones you should take. Regarding privacy compliance, consider these alternate routes:
When it comes to the organizations we speak to that are grappling with this debate, they often opt to obtain ISO 27701 certification, rather than include privacy as a SOC 2 TSC. Before you make your decision, read our complete guide on ISO 27701 to ensure this isn’t also the right move for you.
And if, after consuming all that content regarding the services available, you still find you have questions, please reach out to us so our team of experts can address the concerns you have regarding compliance and PII.
About RYAN BUCKNER
Ryan Buckner is a Principal and Chief Knowledge Officer at Schellman. Ryan currently serves on Schellman’s attestation leadership team and leads the firm-wide research and development for attestation methodology. Ryan is a CIPP, CISSP, CISA, ISO 27001 Lead auditor, and maintains multiple CPA licenses, among other certifications. Ryan is also an AICPA-approved and nationally listed Peer Review Specialist for SOC examinations. Having directly performed and completed over 1,000 service audits, Ryan is one of the most experienced service auditors in the world.