Did you know that there is a difference between “Privacy” and “Confidentiality” when it comes to assessing SOC 2 compliance? Let’s break down what both terms mean and how they can impact SOC 2 compliance and reporting.
The Difference Between Privacy & Confidentiality
First off, it’s very important to define these two terms in relation to SOC 2 standards:
- Confidentiality refers to multiple kinds of sensitive information. Examples of confidential information would be financial information used for internal or external reporting, customer lists, confidential wholesale pricing information, product information, proprietary information provided by business partners, and more.
- Privacy refers specifically to personal information, which requires unique considerations. This is non-public information. Personal information is non-public information that could identify an individual such as: health information, payment information, customer profile information, and more.
A SOC 2 report that analyzes “Privacy” in the context of the Five Trust Services Criteria will likely address the following, as applicable:
- Your organization’s privacy commitments and practices,
- How your organization protects personal information from being used inappropriately,
- A user’s ability to choose the use and disclosure of their personal information,
- A user’s right to access their personal information for review,
- Your organization’s inquiry, compliant, and resolution processes.
Scoping Your SOC 2 Report
Did you know that your SOC 2 report may not have to address the privacy criteria? If your organization’s systems do not transmit, store, collect, create, or use personal information, then the privacy criteria may not need to be addressed at all. In these situations, the confidentiality criteria may make more sense. An experienced auditor like Auditwerx can help you analyze your system and documentation to ensure that your SOC 2 audit is properly scoped.
Choosing an Experienced SOC 2 Partner
Take the guess work out of SOC 2 examinations by partnering with an experienced audit firm. Our thorough evaluation process ensures that your SOC 2 audit is completed in a timely and transparent manner. If you are ready to start the SOC 2 audit process, contact Auditwerx today.