SOC reports for Privacy

Ecom Infotech

SOC 2 reports for Privacy

Privacy has grabbed the attention of Boards of Directors as regions look to implement privacy regulation and compliance standards similar to GDPR. Privacy is the new buzzword and the potential impact is very real. Personal data is processed for political and economic reasons without users’ consent, as happened in the Cambridge Analytica. In view of the recent incidents privacy laws are changing and going forward they may become more stringent. It may be prudent for organizations to be more proactive and adopt measures for Privacy Governance.

Ecom Infotech


To demonstrate the privacy-related controls, Organizations can include the privacy criteria as part of the scope of their SOC 2 report. Additionally, controls for any other specific laws too can be included as Additional Subject Matter. The AICPA Privacy Criteria broad requirements are described in the following paragraphs. Many of these requirements match the legislation like EU-GDPR. In the wake of such new privacy, mandates organizations are encouraged not only include the privacy criteria in their SOC 2 report but also to demand including them in their vendors' SOC 2 report.


When the description addresses privacy, service organization management discloses the service commitments and system requirements identified in the service organizations' privacy notice or in its privacy policy that are relevant to the system being described.

When making such disclosures, it may also be helpful to report users if service organization management describes the purposes, uses, and disclosures of personal information permitted by user entity agreements.