Following up to an article we posted last July regarding changes to the American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria (TSP Section 100), best known as the SOC 2 criteria, significant changes to the privacy principle were expected to be in effect for periods ending on or after March 15, 2016. However, the final approved privacy principle and criteria have yet to be issued, with the effective date still looming. For service organizations who currently receive a SOC 2 report – and for those who are preparing to begin the process and are including the privacy principle in the scope of coverage – we recommend that you carefully assess the proposed changes to the privacy principle and the respective criteria as you embark on this year’s exam. Are you ready for the proposed changes?
SOC 2 Privacy Changes
According to the Assurance Services Executive Committee (ASEC) of the AICPA, the most significant changes to the privacy principle are:
- New set of privacy criteria. This is clearly the biggest change. Under the current approved version of the TSP, the privacy principle and criteria was derived from the AICPA’s “Generally Accepted Privacy Principles” (GAPP). In the near future, the privacy criteria will encompass the common criteria applicable to all principles plus unique privacy criteria, similar to the unique criteria specified for the confidentiality, processing integrity, and availability principles.
- Adds illustrative risks and controls related to privacy to Appendix B, “Illustrative Risks and Controls,” to include the additional privacy criteria and examples of risks that could prevent the privacy criteria from being met, as well as controls designed to address those risks. In addition, certain revisions have been made to the illustrative risks and controls for the common criteria to conform to the additional privacy criteria.
The new proposed privacy criteria, as compared to GAPP, reduce the number of privacy principles from 10 to 8, and the number of criteria from 73 to approximately 20. However, don’t let this lead you to think that the privacy criteria will cover less or be any “easier.” The reality is that the reduction in number of criteria simply eliminated many redundancies that existed in GAPP. Also keep in mind that you may need to add or modify some controls to continue meeting the common criteria, since those criteria now address privacy as well (if the privacy principle is covered in your SOC exam).
If you haven’t already read the proposed changes to privacy, you are highly encouraged to do so (click here for a PDF) in order to understand how they impact the exam and potentially your environment.
Please contact our SOC experts in Columbus, OH or Pittsburgh, PA to find out more on how the proposed privacy changes my impact your control environment and visit our SOC page for more information on SOC reports and how they can help your organization.