SOC2 - Privacy Trust Services Criteria

SOC2 - Privacy Trust Services Criteria

Published on July 11, 2025

Introduction

With mounting digital trails and expanding regulatory demands, businesses are under pressure to safeguard personal information and be clear about how they use it. The SOC 2 framework, well-known for demonstrating operational and security maturity, features privacy as one of its five Trust Services Criteria (TSCs).

An operational SOC 2 process begins with understanding the essential criteria, designing controls, implementing them, and maintaining ongoing improvement. This is also true for privacy. First, you need to establish what personal information you are gathering. Then, put controls in place around it. Get your team trained. Enable data subjects to reach you. Lastly, be transparent and regularly refresh your processes.

This blog post delves deeper into the privacy criteria drawn from the overall SOC 2 framework and outlines the steps required to comply.

Privacy vs Confidentiality

Privacy is about the appropriate collection, use, and protection of personal information. It’s about dealing with information that makes a person identifiable, such as names, email addresses, or health information. It’s about how people’s information is handled in accordance with legal requirements.

Confidentiality, however, applies to sensitive internal or business information, for instance, trade secrets, finances, or intellectual property.

Although they both seek to safeguard data, privacy primarily depends on managing personal information, while confidentiality protects proprietary or sensitive business data from unauthorised access.

What Is Privacy Criteria?

The Privacy Trust Services Criteria set the standards by which companies are required to manage personal data responsibly. The AICPA states that these criteria ensure that the collection, use, retention, disclosure, and disposal of personal information comply with policies consistent with users’ expectations and applicable laws.

  • Notice: Tell individuals what information you collect

  • Collection: Only collect what you require

  • Use, retention, and disposal: Only retain as long as necessary

  • Access: Allow users to view or erase their information

  • Disclosure to third parties: Inform them of the intended destination of the information. 

  • Security: Safeguard personal information

  • Monitoring and enforcement: Ensure compliance with rules

If your company processes any form of personal information, this model helps minimise legal risk and establish trust with customers.

Who needs to comply? Data Collector vs Data Processor

If your business collects or processes personal data, the relevant privacy standards must be applied. Here’s the difference:

  • Data Collectors (Controllers): Determine what data to gather and for what reason. For example, an online shopping site gathers user addresses for shipping purposes or other purposes.

  • Data Processors: Handling data on behalf of another entity, like having a payment gateway processing transactions for an online store.

Both roles fall under the privacy criteria. If you collect user emails for marketing purposes, you are considered a collector. If you have been processing data on behalf of another business, then you are a processor. You must apply privacy controls in both of these roles.

Map the Data Flows

The majority of privacy compliance relies on knowing where personal data is collected and where it is shared. You will need to:

  • Know what kinds of data you’re collecting (names, emails, IPs, etc.)

  • Know how it moves through your systems

  • Know where it gets stored, who gets to access it, and where it is sent

Design data flow diagrams that indicate every step, from the user’s submission to share with third parties. This will enable you to spot risks and use the appropriate controls.

Making it All Transparent: A Clear Privacy Policy

Transparency is part of audit requirements. Your easy-to-understand privacy policy should contain:

  1. What information are you collecting

  2. Why are you collecting it

  3. How and with whom do you share it

  4. For how long will you keep it

  5. How to ask for deletion or access

This should be easy to locate and state consent options. Link it from signup forms, account settings, and your footer. Maintaining transparent language helps in building trust.

Implementing Controls

Controls are mechanisms and practices that impose your privacy commitments. The most important controls include the following:

  • Consent controls: checkboxes, opt-ins

  • Data minimisation: only keep what is important

  • Access controls: limit who processes personal data

  • Encryption: for data being transmitted and stored

  • Retention and disposal: set schedules, delete after retention

  • Monitoring: audit logs, breach detection

Whereas security encompasses protection and access, your privacy controls also encompass consent, data removal, and disclosure policies.

Training and Awareness

Your staff need to know what personal data is, how to deal with it securely, and their responsibility for protecting it.

Regular training sessions, policy reminders, and scenario-based practice help drive best practices. From leadership to interns, everyone needs to know how to identify risks, react to policy changes and adhere to internal privacy procedures. This ensures SOC 2 Privacy criteria compliance and equips your team to act responsibly when working with sensitive data.

Data Subject Access Requests

Data Subject Access Requests (DSARs) enable users to request access to their data. SOC 2 Privacy standards require organisations to respond in a clear and timely manner.

  • Make it an Easy Process: Offer simple means (such as forms or emails) to submit DSARs.

  • Validate Identity: Verify the requester’s identity to safeguard sensitive data.

  • Respond Timely: Every attempt must be made to respond promptly within 30 days. 

  • Facilitate Corrections and Deletions: Allow users to correct or delete their data.

  • Keep Records: Document all DSAR requests and your responses for audit preparedness.

Auditors will check your procedure, including example requests, timing, and completeness.

Third-Party, sub-processor Management

Your privacy obligations also cover third-party vendors and sub-processors who process personal data on your behalf. It’s essential to manage them well.

Key Actions:

  • Identify Vendors: Maintain an up-to-date list of all third parties that process personal data on behalf of your organisation.

  • Perform Due Diligence: Review their security and privacy policies before onboarding.

  • Utilise Strong Agreements: Execute Data Processing Agreements (DPAs) that define roles and responsibilities.

  • Enforce Compliance: Regularly audit or review vendors to guarantee continuous compliance.

  • Restrict Access: Provide third parties with only the data necessary for their specific function.

Document Everything

Maintaining proper documentation is a must to comply with SOC 2 Privacy requirements. It demonstrates to auditors that your privacy program is organised and enforced. Maintain clear records of data flow diagrams, privacy policies, user consent logs, access controls, employee training, vendor agreements, and incident response actions. 

Documentation must be consistent, well-organised, and regularly updated to ensure accuracy and clarity. When modifications take place through new tools or policies, document them promptly. It establishes a credible trail of proof substantiating your compliance. Good documentation not only assists with audits but also enhances internal accountability and inter-team understanding.

Continuous Improvements

Continuous improvement ensures your privacy program stays current with emerging risks, laws, and technologies. It’s not an initial undertaking but an ongoing process of review and improvement.

  • Review Policies regularly: Regularly revise privacy policies to ensure alignment with current practices and relevant legislation.

  • Audit Data Flows: Re-examine how personal data is collected, stored, and transmitted to ensure compliance with relevant regulations.

  • Monitor Regulatory Updates: Keep yourself aware of the regulations like GDPR, CCPA, or both.

  • Collect Feedback: Gather feedback from internal groups and users to identify areas for improvement.

  • Monitor KPIs: Utilise measurements to track performance and inform adjustments as needed.

Conclusion

The SOC 2 Privacy Trust Services Criteria enable you to establish a robust framework for handling personal data with care and confidence. By understanding the requirements of privacy criteria, mapping data flows, setting up the right controls, training your team, and being transparent with users, you will create the utmost accountability and trust.

If you are starting your SOC 2 journey, it’s essential to understand that privacy may be optional on paper, but in reality, it’s crucial for long-term success.