SOC 2 Academy: How Contractual Obligations Impact Confidential Information
Confidentiality Criteria 1.2
When an organization pursues SOC 2 compliance, an auditor will verify that they comply with the common criteria listed in the 2017 Trust Services Criteria. In addition to the common criteria, though, there’s additional criteria for the availability, confidentiality, processing integrity, and privacy categories. For example, if an organization opts to include the confidentiality category in their audit, they would need to comply with the additional criteria for confidentiality. Confidentiality criteria 1.2 says, “The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.” What does this mean for organizations and how do they comply with this criterion? Let’s discuss.
How Can Contractual Obligations Impact Confidential Information?
Understanding how contractual obligations impact confidential information is especially important in order to comply with confidentiality criteria 1.2, because in this new era of data privacy regulations, many organizations will be required to retain data for a certain period of time; however, knowing how long they have to retain that data can be tricky when clients start adding additional stipulations to confidentiality agreements. For example, let’s say that a business wants to partner with a service organization who is only required by law to retain their data for three years. Before partnering with the service organization, that business may stipulate that the service organization needs to retain the data for an additional two years. If this scenario happens with multiple clients, knowing which requirements apply to which sets of data is critical to avoid confusion, ensure that that data remains confidential, and is disposed of correctly.
More SOC 2 Resources
One of the aspects of the confidentiality category for the 2017 SOC 2 Trust Services Criteria is how you manage these contractual expectations from your clients. There might be legal and regulatory requirements that say that you have to keep certain data for a specific number of years, but the client may have contracted with you to keep the information for longer than that. When it comes to disposing of information, you have to know what those requirements are and apply the right scenario with the right obligations that you’ve committed yourself to. Ultimately, you want to be certain about the type of information you have, how long it is that you’re supposed to maintain it and meet the obligations that you’ve agreed to under this confidentiality clause in your agreements with your clients.