SOC 2 Privacy: Are You Ready for the Changes?

Following up to an article we posted last July regarding changes to the American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria (TSP Section 100), best known as the SOC 2 criteria, significant changes to the privacy principle were expected to be in effect for periods ending on or after March 15, 2016.  However, the final approved privacy principle and criteria have yet to be issued, with the effective date still looming.  For service organizations who currently receive a SOC 2 report – and for those who are preparing to begin the process and are including the privacy principle in the scope of coverage – we recommend that you carefully assess the proposed changes to the privacy principle and the respective criteria as you embark on this year’s exam.  Are you ready for the proposed changes?

SOC 2 Privacy Changes

According to the Assurance Services Executive Committee (ASEC) of the AICPA, the most significant changes to the privacy principle are:

  • New set of privacy criteria.  This is clearly the biggest change.  Under the current approved version of the TSP, the privacy principle and criteria was derived from the AICPA’s “Generally Accepted Privacy Principles” (GAPP).   In the near future, the privacy criteria will encompass the common criteria applicable to all principles plus unique privacy criteria, similar to the unique criteria specified for the confidentiality, processing integrity, and availability principles.
  • Adds illustrative risks and controls related to privacy to Appendix B, “Illustrative Risks and Controls,” to include the additional privacy criteria and examples of risks that could prevent the privacy criteria from being met, as well as controls designed to address those risks. In addition, certain revisions have been made to the illustrative risks and controls for the common criteria to conform to the additional privacy criteria.

The new proposed privacy criteria, as compared to GAPP, reduce the number of privacy principles from 10 to 8, and the number of criteria from 73 to approximately 20.  However, don’t let this lead you to think that the privacy criteria will cover less or be any “easier.”  The reality is that the reduction in number of criteria simply eliminated many redundancies that existed in GAPP.  Also keep in mind that you may need to add or modify some controls to continue meeting the common criteria, since those criteria now address privacy as well (if the privacy principle is covered in your SOC exam).

If you haven’t already read the proposed changes to privacy, you are highly encouraged to do so (click here for a PDF) in order to understand how they impact the exam and potentially your environment.

Please contact our SOC experts in Columbus, OH or Pittsburgh, PA to find out more on how the proposed privacy changes my impact your control environment and visit our SOC page for more information on SOC reports and how they can help your organization.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2021 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
What Evidence Is Requested During SOC 2 Audits?
Do I Need a SOC 2 Type 1 Before a SOC 2 Type 2?
Why Do CPA Firms Perform SOC 2 Audits?
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.