Selecting the Foundational Framework
Tech companies generally build their privacy control and reporting frameworks around one of two standards: ISO 27701 and/or SOC 2.
ISO 27701 Certification: ISO 27701 is an international certification, which many companies select because it lends credibility to a company’s privacy framework.
ISO 27701 is also well-suited to companies that are actively pursuing international growth, particularly in Europe and Asia, or that already have the ISO 27001 security certification.
Key elements of ISO 27701:
- Builds on top of the leading ISO security standard 27001 — be mindful that you need the ISO security certification before or in conjunction with getting the ISO privacy certification
- Maps to requirements from GDPR, which is the dominant legal framework globally and extremely applicable for companies serving EU-based customers
- Differentiates between data processer and data controller responsibilities
- Covers important areas like privacy by design, data risk management, consent, and data subject requests
Additional Considerations for Choosing and Tailoring Your Framework
Both ISO 27701 and SOC 2 act as a foundation to serve most technology companies’ privacy reporting needs. Tech companies should be mindful that the current best practice is to adopt a framework and then add further controls designed to meet the unique needs of your organization.
If you are unsure which framework may work best for your company and/or how to tailor your controls and reporting, consider the following questions:
- Where do you operate? What are the dominant data privacy standards in those regions?
- What privacy laws apply to your company and the services you provide?
- Where are your customers based and what are the dominant data privacy standards in those geographies?
- What types of personal information/data are you collecting from customers?
- What privacy and data related risks does your company face? How are you addressing these risks?
- What are customers or stakeholders requesting — a specific type of report or certification?
- Where are you trying to expand your customer base? Do those customers’ industry or regional privacy requirements align with the privacy requirements and expectations of your current customer base?
- What data privacy regulations do your customers have to adhere to? How does that impact the regulatory requirements and risks your company faces?
SOC 2: SOC 2 attestation is a widely adopted reporting approach used by many global and U.S.-based tech companies. It is well-suited to companies that have already adopted SOC 2 reporting for security, those that have not already implemented ISO 27001,
and those with a need to provide more privacy program detail in their audit reporting.
Key elements of SOC 2:
- Builds on a company’s existing SOC 2 security reporting framework
- Based on a defined set of common privacy requirements
- Offers some more flexibility than ISO in defining the relevant privacy controls
- Results in a report that describes overall privacy processes, detailed controls, and the auditor’s testing
- Allows the company to describe and highlight its privacy processes and controls
- Includes both descriptive and control components that help tech companies articulate their program controls to demonstrate their program’s effectiveness
Adopting these standards can be challenging, and tech companies may find that working with a third-party advisor can help.
At BDO, we start with a readiness assessment to help clients understand their current level of privacy program maturity and identify any gaps they need to address, especially ahead of an audit. We work with organizations to develop a clear picture of their contractual and regulatory commitments, the types of personal information collected, and where it is processed and stored. We work with our clients to explain why these details matter to overall organizational compliance and resiliency.
Our third-party attestation team focuses on providing fair and balanced compliance assessments, as well as comprehensive services around SOC reporting and ISO certifications, all while helping clients protect and grow their businesses.
Ready to enhance your data privacy reporting? Contact BDO today to learn which reporting approach is right for you.