Assurance Reporting for Privacy and Data Protection

Demonstrating appropriateness of design and operational effectiveness of your privacy and data protection controls

A drive to privacy and data protection assurance

Since the General Data Protection Regulation (GDPR) came into force, the regulatory regime has developed its expectations that organisations will implement comprehensive data protection controls within their businesses. The UK’s Information Commissioner previously stated that: ‘…this next phase of GDPR requires a refocus on comprehensive data protection – embedding sound data governance in all of your business processes.’

Organisations are facing a heightened level of scrutiny from business customers, data protection regulators, privacy activists, citizens and the judicial community, which is driving the demand for assurance.

Obtaining assurance helps you demonstrate compliance beyond paper-based solutions, requiring evidence that compliance is taking place at the operational level, and demonstrating that purposeful and sustainable data protection outcomes are being delivered within these layers.

The value of assurance reporting

Going beyond the paper layer

Demonstrates that your controls are going beyond the documents you have created and are operating effectively within the people, technology and data layers.

Complying with your commitments

Evidences that your contractual obligations to business customers are being satisfied and that the commitments made to regulators (e.g. in Binding Corporate Rules) are being met.

Challenging your controls

Identifies any gaps in the operational application of your data protection controls and where to apply remediation efforts.

Competitive advantage

Demonstrates the strength and robustness of your data protection controls compared to your competitors, providing you and your stakeholders with increased confidence.

Reduced requests from third parties

Provides interested third parties with an independent assurance report on a subject matter that is of significance to them. In turn, this can reduce audit requests and disruption to your business.

Demonstrating data protection is taken seriously

Shows third parties relying on the report (such as regulators and youar business customers) that fulfilling data protection requirements is important to your organisation.

Showing a good risk management system

Demonstrates a good system of risk management and internal controls to address important societal issues relating to privacy. This can aid effective corporate governance and promote the long-term sustainable success of organisations and contribute to wider society.

What is assurance reporting?

Assurance reporting is an independent assessment of the suitability, design and operational effectiveness of an organisation’s privacy and data protection controls.

It can either be for a company’s internal use (private reporting) or for reliance by external stakeholders such as clients and business customers (public reporting). Where reporting is for the benefit of external stakeholders, this is performed under the AICPA SOC 2 reporting framework.

A SOC 2 report provides an independent assurance opinion covering controls relevant to security, availability, processing integrity, confidentiality and privacy (the ‘Trust Service’ Principles). It is performed under a rigorous assurance standard, ISAE 3000, and covers multiple areas of an organisation’s control framework, from system and environment description to design suitability and operating effectiveness.  

Our approach to assurance reporting

Determine the scope of your assurance report

We work closely with you to scope a tailored assurance report. We take into account the factors unique to your organisation, what it wants to achieve and its priorities.

Our approach includes determining:

  • the ‘users’ of the report, those stakeholder groups that will be relying on your report;
  • the products and services in scope;
  • the commitments made to the users with respect to data protection; and
  • the controls that you have developed to deliver on those data protection commitments.

Assess your readiness for formal assurance

Next, we carry out a readiness assessment for you which serves as a dry run for formal assurance. We will work with you to identify the controls that are meaningful to your users and to determine gaps in your controls that require remediation. You will get a comprehensive report which identifies the controls in scope and the remediation required, equipping you with the understanding to take remedial action and proceed to formal assurance reporting.  

Undertake formal assurance and reporting

Depending on the results of your readiness assessment and the needs/timeline of the users of your report, we will either conduct (i) a point in time review that focuses on the design of your controls (known as a Type 1 report); or (ii) a review over a period of time that focuses on both the design and operational effectiveness of controls (known as a Type 2 report). These reports each result in a formal assurance opinion, signed by PwC, demonstrating the robustness and rigour of the reviews undertaken and a means to share the associated comfort over the control framework with both internal and external stakeholders.

Contact us

Tim Clough

Tim Clough

Partner, Assurance, PwC United Kingdom

Tel: +44 (0)7483 378386

Follow us