Demonstrating appropriateness of design and operational effectiveness of your privacy and data protection controls
Since the General Data Protection Regulation (GDPR) came into force, the regulatory regime has developed its expectations that organisations will implement comprehensive data protection controls within their businesses. The UK’s Information Commissioner previously stated that: ‘…this next phase of GDPR requires a refocus on comprehensive data protection – embedding sound data governance in all of your business processes.’
Organisations are facing a heightened level of scrutiny from business customers, data protection regulators, privacy activists, citizens and the judicial community, which is driving the demand for assurance.
Obtaining assurance helps you demonstrate compliance beyond paper-based solutions, requiring evidence that compliance is taking place at the operational level, and demonstrating that purposeful and sustainable data protection outcomes are being delivered within these layers.
Demonstrates that your controls are going beyond the documents you have created and are operating effectively within the people, technology and data layers.
Evidences that your contractual obligations to business customers are being satisfied and that the commitments made to regulators (e.g. in Binding Corporate Rules) are being met.
Identifies any gaps in the operational application of your data protection controls and where to apply remediation efforts.
Demonstrates the strength and robustness of your data protection controls compared to your competitors, providing you and your stakeholders with increased confidence.
Provides interested third parties with an independent assurance report on a subject matter that is of significance to them. In turn, this can reduce audit requests and disruption to your business.
Shows third parties relying on the report (such as regulators and youar business customers) that fulfilling data protection requirements is important to your organisation.
Demonstrates a good system of risk management and internal controls to address important societal issues relating to privacy. This can aid effective corporate governance and promote the long-term sustainable success of organisations and contribute to wider society.
Assurance reporting is an independent assessment of the suitability, design and operational effectiveness of an organisation’s privacy and data protection controls.
It can either be for a company’s internal use (private reporting) or for reliance by external stakeholders such as clients and business customers (public reporting). Where reporting is for the benefit of external stakeholders, this is performed under the AICPA SOC 2 reporting framework.
A SOC 2 report provides an independent assurance opinion covering controls relevant to security, availability, processing integrity, confidentiality and privacy (the ‘Trust Service’ Principles). It is performed under a rigorous assurance standard, ISAE 3000, and covers multiple areas of an organisation’s control framework, from system and environment description to design suitability and operating effectiveness.
We provide assurance reporting to the world’s largest organisations and are UK market leaders in control reporting. We are the only firm with a large scale, global Trust & Transparency practice as part of their Assurance offerings.
Data protection controls experience
We have worked with a large number of organisations to design and implement data protection controls. We implicitly understand the challenges of embedding controls into organisations. Our experience and industry insights will guide us in applying the appropriate level of challenge to your controls and ensure that your remediation efforts are focused in the right areas.
Journey to Code
PwC is leading the thinking on how privacy principles can be embedded within systems, processes and controls. As part of this we have developed an indicative privacy controls library which map GDPR articles to controls and to SOC 2 principles.
Data protection compliance experience
Our data protection team has delivered GDPR Readiness and Completeness Assessments to over 250 organisations, providing crucial insight into how to address the risks posed in the ‘live’ GDPR environment.
Multidisciplinary team and global network
We offer legal, assurance and consulting operational expertise in data protection across a large number of jurisdictions within our international network of firms. We are also able to draw on the experience of a full range of PwC specialists from different disciplines (such as privacy, data, forensics and cyber security) as core members of the team.
PwC’s Data Protection team
We have one of the UK’s largest data protection teams. We have been recognised for excellence in data protection in legal directories such as Chambers and the Legal 500.
Partner, Assurance, PwC United Kingdom
Tel: +44 (0)7483 378386