Skip to Content

SOC 2 Notice of Privacy Practices (P1.1)

259  Matthew Burdick September 26, 2022  Privacy (Additional Criteria)

Overview:
The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy.


Action Items:
1) Create a privacy notice (externally facing) and privacy policy (internally facing) and publish on the company intranet for employees to access and review.
2) Inspect the privacy notice and the company website showing the privacy notice to determine that the privacy notice is clearly dated with the last updated date and is communicated to company customers via the company website.
3) Inspect the agreements for a sample of new customers during the review period to determine that customer subscription agreements contain privacy and data protection provisions, as applicable to the entity.
4) Inspect the end-user account creation process to determine that the application is configured to require participants to review and accept the privacy notice upon account creation for the application.


Related Documents:
1) Privacy notice
2) Privacy policy
3) Sample of customer agreements and signed terms and conditions
4) Evidence that users are required to accept the privacy notice upon account creation

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:


1) Communicates to Data Subjects—Notice is provided to data subjects regarding the following: Purpose for collecting personal information; Choice and consent; Types of personal information collected; Methods of collection (for example, use of cookies or other tracking techniques); Use, retention, and disposal; Access; Disclosure to third parties; Security for privacy; Quality, including data subjects' responsibilities for quality; Monitoring and enforcement. If personal information is collected from sources other than the individual, such sources are described in the privacy notice.
2) Provides Notice to Data Subjects—Notice is provided to data subjects (1) at or before the time personal information is collected or as soon as practical thereafter, (2) at or before the entity changes its privacy notice or as soon as practical thereafter, or (3) before personal information is used for new purposes not previously identified.
3) Covers Entities and Activities in Notice —An objective description of the entities and activities covered is included in the entity's privacy notice.
4) Uses Clear and Conspicuous Language—The entity's privacy notice is conspicuous and uses clear language.

 
Not Rated
Secure Code