Data is global: SOC audits are vital under EU’s new GDPR

Register now

Data management rarely regards national borders. That’s why, when the EU passed the General Data Protection Regulation in 2016, companies in the United States were forced to take notice. In order to effectively do business across this international boundary, U.S.-based companies will need to boost their privacy practices.

Though U.S. and EU companies may not use identical privacy practices, social organization control (SOC) audits are one bridge between the two. Add to that potentially recruiting a data protection officer (DPO) and participating in the Privacy Shield program with the Swiss government, and U.S. businesses can maintain eligibility for processing EU personal data.

SOC Functions

SOC audits are an originally American privacy practice used to assess data security practices among various service providers and come in two different forms.

For the purposes of GDPR compliance, an SOC 2 audit is the most appropriate approach. In the US, SOC 2 audits are used to evaluate HIPAA and PCI compliance but the practice is transferrable to other privacy frameworks as needed, hence its use for companies concerned with GDPR compliance.

Depending on the role of your company in data processing, you may also consider adding an SOC 3 audit, a sub-type designed for public use. SOC 3 audits can provide a level of clarity and trust to clients, who are more concerned about data privacy than ever before in light of repeat security breaches.

DPO Or SOC – Do You Need Both?

Under the GDPR, EU member states are required to appoint a DPO to manage both the technical and social components of data privacy. But do U.S.-based companies need a DPO in order to do business under this new framework?

Currently, it appears that under the current GDPR outline, only EU-member states, not U.S. participants, need to appoint DPOs, but that doesn’t mean US companies should be complacent. Rather, the role of a DPO can be largely replicated by enhancing the duties of the chief data officer (CDO) and compliance officials. As U.S. companies don’t need to navigate the GDPR to the letter, appointing a DPO is optional. The key is to match GDPR regulations with a comparable degree of security.

EU-US Privacy Shield: Another Option

The GDPR doesn’t go into effect until May 2018, but since January 2017, the United States has been party to the Swiss-US Privacy Shield Framework. The Privacy Shield is essentially a precursor to the GDPR, certifying that a U.S. company is in compliance with Swiss privacy requirements.

The Privacy Shield Framework is an optional one, jointly administered by the U.S. Department of Commerce and the International Trade Administration, but companies that choose to participate in the current version of the framework are more likely to be in compliance with the remainder of GDPR requirements.

The Swiss-U.S. Privacy Shield Framework replaces the older Safe Harbor model, which has since been deemed insufficient protection for consumer data. However, the new Swiss-U.S. framework is an ideal one for businesses concerned about the GDPR.

Despite similar requirements, those rules provided by the UK, for example, are no longer sufficient in a post-Brexit legal framework. In this regard, it’s better for U.S. companies to get on board with the European framework for business purposes.

American companies have had a tough time maintaining sufficient privacy safeguards, as evidenced by the recent Equifax breach, among other high profile cases. SOC audits are a good place to start in terms of U.S. security standards, but ultimately, the GDPR could be very valuable to US companies.

Even if nationally we lack a rigorous security standard, international protections could force corporate America’s hand. We can’t do business in isolation and that means falling in line and protecting our data.

For reprint and licensing requests for this article, click here.