Follow ACC Docket Online:  

How to Ensure Safe Personal Data Protection Handling

W ith an ever-increasing number of managing vendors who handle personal data or assure customers that they are a trustworthy with personal data, there are many choices on how to seek and/or provide assurance. Often, customers start asking for a SOC2 — and they don’t even know what it is, just that it’s a phrase being tossed around in compliance or privacy circles. Are there alternatives to a SOC2? Do certifications have to be done by a third party? And more questions follow. Let’s discuss some basics about how to “prove” safe and adequate personal data protection handling.

The first thing to understand is that there is very little that can “prove” that any company (whether an individual, government entity, corporation, etc.) is engaged in safe or adequate data handling processes. Handling personal data properly is something that should be baked into a company’s culture. Proof would require actually watching the company and its personnel over time and in various activities. Instead, we engage in due diligence (or we should).

Due diligence is the process of vetting a company to gauge whether they have the proper controls in place and determining if the company is a well-established organization that is stable and worth engaging as a vendor. Due diligence should be done for any vendor you engage with, but you should have a risk-based priority list. Part of the risk consideration should be whether the vendor handles personal data, and if so, whether there are any specifics about that data that requires an increased level of protection, such as medical, race or ethnicity, or financial — or is it data on minors or in a geographical area that provides for greater protection. Due diligence includes ongoing monitoring and you should make sure in the contract that you have audit rights on vendors that are in risky categories.

Now, let’s get to assurances of safe data handling that you should be looking for when doing your due diligence.

Audit reports

Audit reports can be first, second, or third party reports. First is what you do to look at your own company using internal audit or a similar process. Second party audits occur when you review a vendor, or a customer reviews you. Third-party audits are those performed by a (hopefully) independent third party with credentials to make an objective finding. These findings may result in a certification, report, seal, license, award, or similar types of recognition.

Audits should be conducted against a set of standards that the company should adhere to that are generally accepted in the industry. In this short article, I do not pretend to know or list all the types of audit frameworks, but will address the most common ones I see in practice.

SOC audits

SOC stands for Service Organization Control and was developed by the AICPA (American Institute of Certified Professional Accountants). SOC reports evolved from the prior SAS70 reports and now come in three main flavors. SOC1 is essentially the SAS70 and serves to gauge a company’s control over financial reporting. SOC2 was developed because customers wanted some type of official report and kept asking vendors for SAS70s even when there was no financial reporting or involvement. SOC2 reviews a company’s controls on security, availability, processing integrity, confidentiality, or privacy related to personal data. SOC3 is a more basic form of SOC2 and should be used when you don’t really understand the controls being evaluated and you just want a basic report that provides the essentials.

Both SOC1 and SOC2 come in a Type 1 and Type 2. Both provide a description of the system and suitability of design. The difference is Type 2 adds operating effectiveness of controls. Thus, the most detailed report for financial reporting is SOC1, Type 2 and for personal data protection SOC2, Type 2.

There are other reports and audits performed, such as TRUSTe’s website and cookie audit service, independent reports based on one or more applicable standard/framework (some examples listed below), or specialty audits, such as the Cloud Security Alliance for cloud-based services, HiTRUST for healthcare, or FedRAMP for working with the US government.

Some common standards/frameworks include both developed standards and regulations/laws that require certain controls and where applicable, the most common part for personal data protection is listed even though there are many more standards available:

  • COBIT: Control Objectives for Information and Related Technologies (enterprise IT controls);
  • ISO 27000 series (or more appropriately ISO/IEC), International Organization for Standardization (more common globally);
  • NIST sp 800-53: National Institute of Standards and Technology (more US based); and,
  • PCI DSS: Payment Card Industry Data Security Standards (set by payment cards – Visa, MasterCard, etc.; global, applies to merchants who accept payment cards).

Common regulations/laws:

This is only a partial list. Most third-party audit companies will audit against a set of standards, which may be captured in regulations or laws, or they will use a common set of standards (NIST, ISO) as their baseline. The types of personal data involved, location of either the company or individuals whose personal data is involved, or the industry will drive the standards you want to know if the company follows.

Keep in mind that in most cases, you will only receive a snapshot of a moment in time where the auditor reviewed the controls and perhaps interviewed key personnel. Diligent companies, especially with SOX, will be audited annually and should provide you with an adequate report for your due diligence.

Final issues

There are a couple of special issues to also note. One, companies that use a collocated data center —where the data center vendor owns the building and provides all the security and management, but the company owns the equipment for data storage and processing — may rely on the audit report on the data center. This is good that they perform due diligence on their vendor, but it does not speak to the controls of the actual company. You need both.

Next, if you want to work with a vendor and they don’t have these reports, you will need to determine how to address that. You can do your own audit; you can hire an independent firm to do an audit; you can put it in the contract that they will obtain an audit (and provide specifics if you want specifics and follow up); or you can rely on other indicators of their controls. You need to make sure that your due diligence is adequate for the personal data involved and that you would not be found to be negligent if you did not perform a certain level of diligence or require a certain level of controls in place.

About the Author

K RoyalK Royal is the technology columnist for, and vice president, AGC privacy, and compliance/privacy officer at CellTrust Corp. @heartofprivacy

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.