Understanding SOC 2 Privacy Requirements

Here's what you should understand about the requirements for the SOC 2 Privacy trust services criteria.

The SOC 2 Privacy trust services criteria covers a range of requirements ('focus points') which may apply only to an organisation that is a data controller or only to an organization that is a data processor.
The focus of Privacy is to ensure appropriate oversight and processes are in place for personal information collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.

Key Terms

  • Basis of processing personal data
  • Consent: Individuals must be able to prevent the collection of their personal data, unless legally required. If an individual has a choice about the use or disclosure of their information, consent is the individual’s way of giving permission for this. Consent may be explicit (e.g. opting in) or implied (e.g. not opting out). 
  • Data controller: An organisation that (alone or jointly with others) determines the purposes for and the means by which personal data is processed.
  • Data processor: An organisation that processes data on behalf of a data controller.
  • Data subject: The individual about whom personal data is collected and processed.
  • Disposal: The phase of the data lifecycle related to how data is removed and/or destroyed.
  • Explicit consent: A requirement for individuals to affirm agreement with a data controller through a means of active communication between the parties (i.e. must be affirmed in a clear statement whether oral or written).
  • Implied consent: When consent may reasonably be inferred from the action or inaction of the individual.
  • Personal data risk assessment
  • Privacy disclosures
  • Privacy impact assessment
  • Privacy notice: A written communication by entities that collect personal information (e.g. data processor or data controller) to the individuals about whom personal information is collected (i.e. data subjects). It primarily outlines the entity’s policies regarding the nature of the information that they will collect and how that information will be used, retained, disclosed, safeguarded, disposed of or anonymized. A privacy notice also includes information about the purpose of collecting the information, the choices that individuals have related to their personal information (e.g. consent and withdrawal), and how individuals can contact the entity with inquiries, complaints, and disputes related to their personal information.
  • Privacy requests: These are typically requests from (or on behalf of) the data subject to access, correct or update, delete, halt processing activities, opt-out, or transfer data. 
  • Subprocessor: A data processor handling data on behalf of an entity that is also acting as a data processor.