Privacy - GDPR, CCPA and SOC2

[toc]

---

Privacy - GDPR, CCPA and SOC2

• System and Organization Control (SOC)
• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)

---

California Consumer Privacy Act (CCPA)

• effective January 1, 2020,
• enacts the most stringent data privacy regulations thus far in the United States.
• CCPA保护范围超过欧盟《通用数据保护条例》(GDPR)；然而，如您的企业已满足 GDPR 的合规性要求，那么就不难做到 CCPA 合规 。

---

SOC 2 Privacy

• In a SOC 2 privacy audit, the criteria apply to personal data, notably personally identifiable information (PII) (such as health records, social security numbers, addresses, credit card information, etc…)

• The SOC 2 privacy criteria is applicable when the service organization interacts directly with the data subject, or collects, transmits, uses, or stores personal data.

• A SOC 2 examination that incorporates the trust services privacy criteria will include the processes and controls that the service organization has in place to meet their privacy commitments and system requirements to its user entities.

• The privacy criteria are comprised of eight categories that make up its requirements.
  • It encompasses the service organization’s privacy notice and the choices the data subject has over the use and disclosure of their personal information.
  • It also addresses the individual’s right to access their personal information for review and update, as well as incorporating the service organization’s mechanisms in place to track and resolve inquiries, complaints, and disputes.

SOC 2 uses the AICPA Trust Services Criteria (TSC) for Privacy.

• These were formerly known as the Generally Accepted Privacy Principles(GAPP) by AICPA.
• With, approximately 50 points of focus, the TSC organizes the privacy criteria as:
  • Notice and communication of objectives — The entity provides notice to data subjects about its objectives related to privacy.
  • Choice and consent — The entity communicates choices available regarding the collection, use, retention, disclosure and disposal of personal information to data subjects.
  • Collection - The entity collects personal information to meet its objectives related to privacy.
  • Use, retention and disposal — The entity limits the use, retention and disposal of personal information to meet its objectives related to privacy.
  • Access — The entity provides data subjects with access to their personal information for review and correction (including updates) to meet its objectives related to privacy.
  • Disclosure and notification — The entity discloses personal information, with the consent of the data subjects, to meet its objectives related to privacy. Notification of breaches and incidents is provided to affected data subjects, regulators and others to meet its objectives related to privacy.
  • Quality — The entity collects and maintains accurate, up-to-date, complete and relevant personal information to meet its objectives related to privacy.
  • Monitoring and enforcement — The entity monitors compliance to meet its objectives related to privacy, including procedures to address privacy-related inquiries, complaints and disputes. A side from the Trust Services Criteria Privacy Controls, any specific privacy mandates can also be covered.

SOC 2 Type 2 for Privacy Benefits

• SOC 2 Type 2 can cover the entire year and the effectiveness of the controls in place.
• It is a Third-Party Period- of-Time assessment and so has Accountability.
• Most other assurance programs or audits are only, at a point in time.
• Since it is a period assessment, it is more like a continuous compliance with low risk and high reliability. It also provides assurance on operative effectiveness of controls
• Comprehensive Framework for Privacy by AICPA.
• Provides a high reliability SOC 2 Seal by AICPA.
• SOC 2 Provides better visibility with detailed controls in the report in contrast to ISO 27001, ISO 27701 standard that provides just a certificate.

---

GDPR General Data Protection Regulation (GDPR)

• took effect on May 25, 2018, by the European Union (EU) to protect the privacy of the personal information of the citizens within its member states.
• Any organization within or outside of the EU that collects, uses, processes, shares, or stores personal data of EU citizens must comply with GDPR or be subject to sanctions and fines that may be imposed.

The GDPR regulation, encompassing 11 chapters and 99 articles, gives individuals greater control over their personal information.

• Personal data includes name, photo, social media posts, email address, IP address, medical history, etc.
• Individuals have the right to be informed about, access, correct, dispute, or erase their personal data.
• Under GDPR, controllers and processors of personal data are required to implement data security measures, maintain security over data processing, and provide breach notification to authorities and data subjects in a timely manner.

---

SOC 2 Privacy and GDPR Similarities

• System and Organization Control (SOC)
• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)

The SOC 2 Privacy criteria and GDPR have many similarities.

• Both are geared toward protecting the personal information of the data subject.

• privacy notice
  • SOC 2 Privacy criteria requires the service organization to inform the data subject about their privacy practices through a privacy notice that includes types of personal information collected and purpose of collection.
  • GDPR requires the organization to be transparent with the data subjects regarding the type of data being collected and processed as well as the reasons within their privacy policy.
• data subject to provide consent
  • SOC 2 Privacy criteria requires the data subject to provide consent regarding the collection, use, retention, disclosure, and disposal of their personal information by the service organization.
  • GDPR requires that consent by the data subject must be obtained for the collection of their personal data and particularly when their personal data is being processed beyond the original purpose. If the data subject’s personal data is being processed beyond the original purpose, the organization must obtain consent from the data subject.
• collecte limitation
  • SOC 2 Privacy criteria: The personal data collected should be limited to information needed to meet the objectives of the organization, and consistent with the organization’s privacy commitments and system requirements. Data collected from third parties should be evaluated to ensure its reliability and that it was lawfully collected.
  • GDPR, organizations should only collect and process the minimal amount of data required to achieve their purpose.
• validatation/edit of the quality of the data subject’s information
  • SOC 2 Privacy criteria, the organization validates the quality of the data subject’s information by allowing the data subject the ability to update their data as necessary, and by performing adequate due diligence on data gathered from third parties.
  • GDPR, requires that every reasonable step must be taken by the organization to ensure the accuracy of the personal data, or take steps to erase or correct it. Data subjects have the right to have the organization correct inaccurate personal data.
• time
  • SOC 2 Privacy criteria, Personal information should not be held any longer than it is needed to meet the organization’s objective.
  • GDPR, organizations are required to delete personal data when it is no longer needed.
  • Both require that personal data must be securely disposed.
• integrity and confidentiality
  • The SOC 2 Privacy criteria and GDPR both require that personal data be appropriately secured to ensure the integrity and confidentiality of the data.
  • This may include encrypting and/or anonymizing the data.
• data breach notification
  • Should a data breach occur compromising the data subject’s personal data, the SOC 2 Privacy criteria and GDPR require notification be made to the appropriate authorities and the data subject within a timely manner.

---

SOC 2 Privacy & GDPR Differences

Examples of SOC 2 Privacy and GDPR Differences

• legally enforceable
  • GDPR is legally enforceable and extends to all organizations anywhere in the world that handle, store or process the personal data of EU citizens.
  • SOC 2 Privacy criteria is not legally enforceable and is primarily recognized in the United States.
• right to be forgotten
  • GDPR
    • the concept of the data subject’s “right to be forgotten” was introduced, subject to interpretation.
    • If the data subject revokes their consent to the organization to process their data and requests the organization to erase and stop distributing their personal data, the organization must comply and purge the data.
    • This extends to the organization’s third parties to whom information was disclosed and requires the organization to take appropriate steps to notify such third parties to erase the subject’s personal data from their systems.
• Sanctions and/or fines
  • SOC 2 Privacy criteria
    • an elective assessment, non-compliance may lead to a qualified report and loss of trust by user entities and other readers of the report.
  • GDPR
    • the roles and responsibilities of the data controllers and data processors are defined, and they may be held liable for failing to properly secure personal data and for failure to comply with the regulations.
    • Sanctions and/or fines may be imposed upon any non-compliant organization inside or outside the EU up to $20 million EUR or 4% of the annual global turnover whichever is greater.
• Data Protection Officer
  • GDPR:
    • Large organizations that perform significant processing of personal data may require a Data Protection Officer.
    • This individual’s role and responsibility would be to advise the organization about compliance with GDPR rules.
  • SOC 2 Privacy criteria: This is not a requirement
• consider privacy guidelines in the projects
  • GDPR: an organization must consider privacy guidelines and best practices at the onset of projects that may impact personal information held or processed. The GDPR’s privacy-by-design standard ensures that privacy is at the forefront rather than an afterthought.
  • SOC 2 Privacy criteria: This is not called out

The GDPR is far reaching and very detailed regarding the specific practices organizations need to have in place to ensure compliance. Being in compliance with the SOC 2 Privacy criteria may get an organization much of the way toward compliance with GDPR.