Privacy means many different things, especially when it involves internet security. Privacy is generally defined as the state of being free from observation or disturbance from the public. The AICPA defines privacy as “Personal information is collected, used, retained, disclosed  and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA and CICA.” In our final installment of our Trust Service Principles blog series, we will review the importance of privacy as related to data security and service organizations. 

Privacy is regulated through adherence to GAPP, or Generally Accepted Privacy Principles, which focus on protecting customer data an organization collects. GAPP are based on internationally known fair information practices included in privacy laws and regulations around the world. Privacy criteria are group into two categories: policies and communication, and procedures and controls. Policies and communication are defined as written documents that explain the organization’s intent, objectives, responsibilities, and standards related to private information and how the organization communicates this to internal and external parties. Procedures and controls are defined as other actions the service organizations takes to meet the established standards. Private or personal information is defined as data that identifies and individual. Some examples are name, home address, email address, social security number, and consumer purchase history. 

An organization is responsible for several tasks before conducting an audit related to protecting private information. The organization must have a clearly written private policy document which states how the organization will use the data they collect. The private policy document should also contain information on access to personal data, disclosure to third parties, and enforcement. Any changes made to the system that may affect security must also be communicated to customers. eCommerce organizations have to document additional details in their objective statement. The document should contain information on the nature of goods or services provided. The time frame for processing transactions should also be clearly documented for customers, along with payment terms and order cancellations. 

Along with an objective statement, your organization can take additional steps to streamline the audit process. Defining the scope of your audit is vital, whether you are engaging in a SOC 1, SOC 2, or SOC 3 attestation. The scope of a privacy engagement can cover all personal information, or certain information defined ahead of the engagement. The scope of a privacy engagement should cover all activities that collect, use, retain, destroy, or de-identify data in the life cycle. Reviewing and updating your policies and procedures should be conducted on a regular basis. Ensuring that your staff receives training on adherence to the AICPA’s Trust Service Principles is also recommended.

We hope you found our Blog series on the Trust Service Principles useful. Auditwerx has worked with a wide variety of organizations over the years in assisting them navigate through the audit process. We know how daunting an audit can be, for first timers to experienced professionals. We’ve used our experience to create a customized Audit checklist for our customers to follow before, during, and after the audit. Call us today at (866) 446 – 4038 or contact us here to learn how we can help streamline your next audit.