Should You Include Privacy in Your Next SOC 2?

Now, if you're considering a SOC 2 examination, you already know that you have options when it comes to what categories you would like to have in scope. Of course, you can choose the common criteria, or also known as the:

  • Security category
  • Availability category
  • Processing integrity category
  • Confidentiality category
  • Privacy category

Well, if you like a plain English explanation of what's involved in the privacy category and whether or not it makes sense for your next SOC 2 examination, you've come to the right place. Let's get started.

Hi, this is Ryan Buckner, chief knowledge officer for Schellman. So you're wondering whether or not you should include privacy in your next SOC 2 examination? That's an important question and there are really two drivers to that decision:

1. Customer Requirements
The first is, well, you need to include it if your customers say you do. And that's important because not every organization has to include any particular SOC 2 category within the scope of their assessment. The common criteria, those 33 criteria which make up the security category, are more or less standard fare for every SOC 2 examination. But whether you add to that, the availability, processing, integrity, confidentiality, or privacy is really a question of what are your customers and the users of your system expecting to see with respect to how you handle personally identifiable information (PII)?

2. Commitments You Made
The second part of that is what promises or service commitments and service system requirements you make related to the safeguarding of personally identifiable information. So you see there's an aspect of this that needs to be receptive to the demands on your organization from an information standpoint. If you've got customers or regulators or prospective customers interested in how you safeguard data, then including the privacy category would make all the sense for you.

If your organization is primarily business to business focused exclusively on safeguarding business data of relevant business partners, be they vendors, other third parties or customers, then the confidentiality category probably makes more sense.

However, if your organization is processing information, personally identifiable information directly to consumers or data subjects, then you would absolutely want to consider including the privacy category within the scope of your SOC 2.

By far, most organizations, when they pursue a SOC 2 assessment, it does not include the privacy category. It usually includes just a security category, and then they will build upon that based on that specific customer demand. But if in fact you do process personally identifiable information, the likelihood that you're interested parties (your business partners and your perspective and existing customers) will have an interest in how you safeguard personally identifiable information is likely to be very high, but to say that it is a mandatory requirement that only because you process personally identifiable information that you must include the privacy category is not accurate. Many organizations would be expecting that, but you do have the flexibility and the option to include it at a later date or not at all.

So I know what we just covered could be rather complex and maybe even a bit confusing. Well, there are 18 criteria specific to this particular privacy category, and you're likely to have more questions beyond the three that we cover today. Now, if you have any additional questions related to the privacy category or any other categories for the SOC 2 examination, go to our website and reach out to us through the contact form to reach out to a specialist today. 

About the Author

Ryan Buckner

Ryan Buckner is a Principal and Chief Knowledge Officer at Schellman. Ryan currently serves on Schellman’s attestation leadership team and leads the firm-wide research and development for attestation methodology. Ryan is a CIPP, CISSP, CISA, ISO 27001 Lead auditor, and maintains multiple CPA licenses, among other certifications. Ryan is also an AICPA-approved and nationally listed Peer Review Specialist for SOC examinations. Having directly performed and completed over 1,000 service audits, Ryan is one of the most experienced service auditors in the world.

More Content by Ryan Buckner
Previous Article
Understanding and Defining Your SOC 1 Control Objectives
Understanding and Defining Your SOC 1 Control Objectives

Designing your SOC 1 control objectives is a critical part of your assessment. We provide starting points, ...

Next Article
What are the SOC 2 Trust Services Categories?
What are the SOC 2 Trust Services Categories?

If you’re someone who is considering a SOC 2 audit, learn about the Trust Services Categories and how to ch...