Privacy Solutions

Readiness Assessment Servicess

International, federal, and state data privacy laws along with the emergence of privacy focused control frameworks have created a complex web of compliance requirements for organizations to consider within their data privacy programs.

Our readiness assessments services can help you evaluate your data privacy maturity, identify gaps to pertinent compliance initiatives, and communicate industry best practices. Our attestation reports can serve as a tool to demonstrate your data privacy posture to current or potential clients, investors, regulatory bodies, and other stakeholders.

General Data Protection Regulation (GDPR)

The GDPR is a robust data privacy and security regulation established by the European Union (EU) to protect the personal information of EU citizens. The GDPR applies to organizations based in the EU who process personal information and organizations worldwide who offer goods and services to EU citizens or monitor the behavior of EU citizens. The implications of GDPR therefore apply to most major entities and can be accompanied by hefty penalties if not compliant.

HIPAA Privacy Rule

The HIPAA Privacy Rule sets federal standards for the protection against misuse of personal health information. HIPAA privacy provisions are applicable to covered entities (health plans, healthcare clearing houses, and health care providers) and can be subject to audits by the Office of Civil Rights.

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)

The CCPA and the additional provisions enacted by the CPRA serve as the first encompassing (industry agnostic) privacy regulation in the United States and were enacted by the California legislature to provide rights and consumer protections regarding the personal information of California residents. Similar to the GDPR, the CCPA has broad implications and potentially hefty fines and penalties. The CCPA applies to any organization that conducts business in California and satisfies at least one of the following criteria:

  1. Has annual gross revenues in excess of $25 million.
  2. Buys, receives or sells the personal information of 50,000 or more consumers or households.
  3. Earns more than half of its annual revenue from selling consumers’ personal information.
NIST Privacy Framework
The Privacy Framework established by NIST is intended to help organizations identify and manage privacy risks associated with their products or services. The Privacy Framework is modeled after NIST’s Cybersecurity Framework (CSF) however, it extends the scope to account for privacy risks arising from data processing that may be unrelated to cybersecurity incidents. An assessment against the Privacy Framework would benefit organizations looking to improve their existing data privacy program as well as those looking for flexible guidance to serve as the foundation for a new privacy program.
SOC 2 with Privacy
A SOC 2 examination that includes the Privacy Category is a great way to demonstrate your organization’s information privacy posture. The privacy criteria within the SOC 2 are founded in Generally Accepted Privacy Principles (GAPP) developed by the American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA) to serve as a global framework for an effective privacy program. A SOC 2 incorporating the Privacy Category is one of the most well-accepted forms of providing assurance over an organization’s information privacy controls.