SOC 2 Compliance Audit for Privacy

Ecom Infotech

SOC 2 Type 2 Privacy Audit

Privacy has grabbed the attention of Boards of Directors as regions look to implement privacy regulation and compliance standards such as HIPAA, GDPR, CCPA etc. Privacy is the new buzzword and the potential impact is very real. Personal data is processed for political and economic reasons without users’ consent, as happened in the Cambridge Analytica. In view of the recent incidents privacy laws are changing and going forward they may become more stringent. It may be prudent for organizations to be more proactive and adopt measures for Privacy Governance such as AICPASOC 2 Type 2 audit for Privacy Compliance..

Ecom Infotech


To demonstrate the privacy-related controls, Organizations can include the privacy criteria as part of the scope of their SOC 2 Type 2 audit report. Additionally, controls for any other specific laws too can be included as Additional Subject Matter. The Trust Services Privacy Criteria were formerly known as the Generally Accepted Privacy Principles(GAPP) by AICPA. The broad requirements are described in the following paragraphs. Many of these requirements match the legislation like EU-GDPR. In the wake of such new privacy, mandates organizations are encouraged not only include the privacy criteria in their SOC 2 type 2 compliance report but also to demand including them in their vendors' SOC 2 Type 2 report.


When the SOC 2 description addresses privacy, service organization management discloses the service commitments and system requirements identified in the service organizations' privacy notice or in its privacy policy that are relevant to the system being described.

When making such disclosures, it may also be helpful to report users if service organization management describes the purposes, uses, and disclosures of personal information permitted by user entity agreements.More on SOC Audit Services