866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Should Your SOC 2 Include Privacy as a Trust Service Category? Blog Feature
RYAN BUCKNER

By: RYAN BUCKNER

Print/Save as PDF

Should Your SOC 2 Include Privacy as a Trust Service Category?

Privacy Assessments | SOC Examinations

If you’ve ever dieted before, you know the temptation to add something extra to your meal—you know, something actually tasty, or just something else that you believe will satisfy a craving.

Whether that’s always the best decision remains to be seen. After all, do you really need those sweets or that bread? Will it help you in the long run? (If you’re measuring by happiness metrics, it probably would!)

The same choice—to include or to not include—often vexes organizations preparing for a SOC 2 examination. As they select their trust service categories, we get specific questions about whether or not our clients should be tested for privacy as well.

As SOC 2 service providers since its inception, we’ve become proficient in discerning which organizations should include privacy in their SOC 2 examinations, as well as those who shouldn’t. If you’re considering whether privacy is right for you, let us help simplify that decision.

We’re going to break down this category for you completely in this article—you’ll learn what it contains and why people consider its inclusion for their SOC 2, as well as the advantages and drawbacks to doing so. All that information will clarify whether the Privacy Trust Service Category belongs on your SOC 2 plate, or if you should instead consider alternatives when it comes to that type of data compliance.

 

Why Should You Include Privacy in Your SOC 2 TSCs?

This is the critical question, of course. Your answer will need you to consider two important factors:

  • The market: If your existing customers or prospects have demonstrated that they’d like to see a SOC 2, they likely also specified what they’d like to see in-scope regarding the categories to be included—privacy, of course, being one of those.
  • Service level agreements: Almost more important than the desires of your customers is what you’ve agreed to do as per the safeguarding of personally identifiable information.
    • You may be an organization that processes lots of data—perhaps even sensitive or regulated data that may or may not include the data of personally identifiable information (PII) of individuals. If you are handling PII, more than likely you’ve had to make particular statements to the marketplace indicating that you can be trusted with that type of information.
    • It could be reckless to possess that kind of data without promising any assurance at all as to how you’re protecting it from unauthorized access, disclosure, or destruction.

A SOC 2 represents a great way to publicize how you safeguard the data in your charge, and the inclusion of the privacy category within yours hinges on the PII aspect. If you do manage it, then this TSC might be for you. If not, leave it off your plate.

That’s because the 18 criteria specific to the privacy category all involve what is generally referred to as the PII lifecycle—that lifecycle will include the:

  • Collection;
  • Use;
  • Retention;
  • Destruction or disposal of; and
  • Disclosure of PII.

Sometimes referred to as CURDD, if your organization is responsible for some or all or any aspect of any of those facets, that would deem you part of this lifecycle, making the privacy category relevant to your SOC 2.

What is Examined in the Privacy Trust Service Category?

If you’re now leaning towards including privacy, it’d help to understand what exactly will be examined as part of it. So what exactly will your assessors take a look at?

  • Relevant policies and procedures: You need to maintain and have these in place regarding the overall safeguarding and management of that PII. That will likely include internal documents and certain external ones:
    • Privacy Practices: This is the most common way organizations communicate their PII security measures to the outside world—including the data subjects. Also known as a privacy notice, this is often provided through the company website.
  • Specific logical access and IT security: How do you actually protect personally identifiable information? These controls could include:
    • Authentication and authorization mechanisms
    • Detection and notification systems that alert system administrators when unauthorized access to that information has occurred
  • Notification procedures in the event of unauthorized disclosure
  • Monitoring controls (a requirement for compliance on an ongoing basis)

But you shouldn’t regard these things and the other criteria as a mere 18 things that need to get done. As with the other SOC 2 categories, you’ll need to go back to the specific service level agreements or commitments related to privacy that you made in your privacy notice and ensure that you have controls in place to satisfy those.

For example, if you promise that, in the event of a breach of PII, you will notify affected parties within 48 hours, that becomes a particular requirement that will be in the scope of your SOC 2 examination. If you’ve indicated that you’ll destroy or purge all PII within 60 days of account cancellation, that’s another specific commitment you’ve made that will also be included within your SOC 2 scope.

All in all, you can expect what you commit to in your privacy notice to align almost exactly with what will become part of your audit. The more you promise, the more will be evaluated.

 

What are the Advantages of Including the Privacy Category in Your SOC 2?

 

  • Effective Communication of Your Safeguards: Including privacy in your SOC 2 would answer the question for your customers and other interested parties as to how you’re safeguarding particularly sensitive data.
  • Opportunity for Improvement: The results of a SOC 2 with privacy will reveal to your management whether or not your controls related to PII are adequate. If not, they’d have the opportunity to revise and mature controls to protect that personally identifiable information in the ways that you should.

What are the Drawbacks of Including Privacy in Your Soc 2?

  • The Number of Criteria: Aside from the Common Criteria (included in the Security category)—required in every SOC 2—which has 33 criteria, the privacy category contains the most criteria with 18. In fact, it’s more than all your other possible categories combined (Processing Integrity: 5, Availability: 3, Confidentiality: 2).
  • The Amount of Work: Given that, including privacy would mean a lot of extra work. You’ll need to make sure that you have an effective privacy information management system or a privacy program in place, and that it will stand up to the rigor of an assessment like SOC 2.
    • For this reason, we recommend organizations review privacy category criteria and conduct an internal assessment to determine their readiness before engaging with a third party like Schellman.
    • However, we should say that if you have already completed a SOC 2 audit—particularly if you previously included any of the other categories along with Security—you likely have the infrastructure to mitigate at least some of the level of effort that adding the privacy criteria would require. (The same is true if you previously pursued another kind of privacy assessment.)

Alternatives to the Privacy Category in SOC 2

With such seemingly evenly matched pros and cons, you may still yet be on the fence about whether to include these criteria within your next SOC 2 examination. Though the privacy category would allow you to tell the story of your relevant practices, it does represent a lot of work.

But if you do handle PII and would like to provide assurances, there are also alternative paths you can take—perhaps even ones you should take. Regarding privacy compliance, consider these alternate routes:

When it comes to the organizations we speak to that are grappling with this debate, they often opt to obtain ISO 27701 certification, rather than include privacy as a SOC 2 TSC. Before you make your decision, read our complete guide on ISO 27701 to ensure this isn’t also the right move for you.

And if, after consuming all that content regarding the services available, you still find you have questions, please reach out to us so our team of experts can address the concerns you have regarding compliance and PII.

About RYAN BUCKNER

Ryan Buckner is a Principal and Chief Knowledge Officer at Schellman. Ryan currently serves on Schellman’s attestation leadership team and leads the firm-wide research and development for attestation methodology. Ryan is a CIPP, CISSP, CISA, ISO 27001 Lead auditor, and maintains multiple CPA licenses, among other certifications. Ryan is also an AICPA-approved and nationally listed Peer Review Specialist for SOC examinations. Having directly performed and completed over 1,000 service audits, Ryan is one of the most experienced service auditors in the world.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.