Following up to an article we posted last July regarding changes to the American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria (TSP Section 100), best known as the SOC 2 criteria, significant changes to the privacy principle were expected to be in effect for periods ending on or after March 15, 2016. However, the final approved privacy principle and criteria have yet to be issued, with the effective date still looming. For service organizations who currently receive a SOC 2 report – and for those who are preparing to begin the process and are including the privacy principle in the scope of coverage – we recommend that you carefully assess the proposed changes to the privacy principle and the respective criteria as you embark on this year’s exam. Are you ready for the proposed changes?
SOC 2 Privacy Changes
According to the Assurance Services Executive Committee (ASEC) of the AICPA, the most significant changes to the privacy principle are:
New set of privacy criteria. This is clearly the biggest change. Under the current approved version of the TSP, the privacy principle and criteria was derived from the AICPA’s “Generally Accepted Privacy Principles” (GAPP). In the near future, the privacy criteria will encompass the common criteria applicable to all principles plus unique privacy criteria, similar to the unique criteria specified for the confidentiality, processing integrity, and availability principles.
Adds illustrative risks and controls related to privacy to Appendix B, “Illustrative Risks and Controls,” to include the additional privacy criteria and examples of risks that could prevent the privacy criteria from being met, as well as controls designed to address those risks. In addition, certain revisions have been made to the illustrative risks and controls for the common criteria to conform to the additional privacy criteria.
The new proposed privacy criteria, as compared to GAPP, reduce the number of privacy principles from 10 to 8, and the number of criteria from 73 to approximately 20. However, don’t let this lead you to think that the privacy criteria will cover less or be any “easier.” The reality is that the reduction in number of criteria simply eliminated many redundancies that existed in GAPP. Also keep in mind that you may need to add or modify some controls to continue meeting the common criteria, since those criteria now address privacy as well (if the privacy principle is covered in your SOC exam).
If you haven’t already read the proposed changes to privacy, you are highly encouraged to do so (click here for a PDF) in order to understand how they impact the exam and potentially your environment.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.