SOC 219 April 2026 9 min read

SOC 2 Privacy Criteria: What P1–P8 Actually Require

A detailed walkthrough of SOC 2 Privacy criteria P1 through P8 — what each requires, how they map to GDPR and DPDP, and what evidence auditors collect.

Key Takeaways

The Privacy TSC has eight criteria (P1–P8) covering the complete lifecycle of personal information.
P1 (notice), P3 (collection), and P4 (use/retention/disposal) are the most evidence-intensive criteria.
SOC 2 Privacy and GDPR overlap significantly — companies addressing both can share most evidence.
India's DPDP Act shares principles with SOC 2 Privacy (consent, purpose limitation, data subject rights) making joint compliance efficient.
Adding Privacy requires operational programs — consent management, data subject request workflows, breach notification — not just written policies.

In this guide

P1: Notice and Communication
P2: Choice and Consent / P3: Collection
P4: Use, Retention, and Disposal
P5: Access / P6: Disclosure and Notification
P7: Quality / P8: Monitoring and Enforcement
How SOC 2 Privacy Maps to GDPR and DPDP Act

P1: Notice and Communication

P1.1 requires that the entity provides notice about its privacy practices to individuals before or at the time of collection. The notice must cover: what personal information is collected, the purpose of collection, how it will be used and shared, the legal basis for processing, individual rights, and how to contact the privacy officer.

Evidence: published privacy policy meeting the notice requirements; privacy policy version history showing annual review; records of when the privacy policy was updated and how affected individuals were notified; mechanism for collecting privacy policy acknowledgments from new users.

P1.1 is typically one of the easiest criteria to address — if you have a public privacy policy that covers the required topics, you satisfy the notice requirement. The harder aspect is keeping the notice current as your data practices change and ensuring that notice is provided "at or before the time of collection" — which means users must see the privacy policy before they submit personal data.

P2: Choice and Consent / P3: Collection

P2.1 requires that individuals are given the opportunity to consent to the collection and use of their personal information for secondary purposes. P2.2 requires that individuals can opt out of certain uses. Evidence: consent mechanism in the registration flow; preference center or opt-out mechanism; records of consent collected; process for honoring consent revocation.

P3.1 requires that personal information is collected only for identified purposes. P3.2 requires that personal information is collected using lawful and fair methods. Evidence: data mapping document showing what PII is collected, for what purpose, and the legal basis; evidence that collection is limited to what's needed (no excessive collection); technical audit showing no hidden data collection (server-side tracking, third-party pixels) beyond what's disclosed.

P3 is where many consumer-facing and B2B2C companies find significant gaps. Analytics tools (Mixpanel, Amplitude, Google Analytics) collect behavioral data; marketing automation tools (HubSpot) collect form submissions; support tools (Intercom) collect conversation data. Each of these data flows must be covered by your privacy notice and have a lawful basis.

P4: Use, Retention, and Disposal

P4.1 requires that personal information is used, retained, and disposed of only in accordance with stated purposes. P4.2 requires that personal information is retained for no longer than necessary. P4.3 requires that personal information is disposed of in a manner that prevents loss or unauthorized access.

Evidence: data retention schedule with defined periods for each PII category; automated deletion workflows or manual deletion procedures executed on schedule; records of data deletions; evidence that PII is not used for undisclosed secondary purposes (internal data use audit); privacy-by-design documentation showing that new product features involving PII went through privacy review.

P4 is operationally the hardest Privacy criterion to sustain because it requires ongoing execution. Deleting PII after retention periods expire requires either automated tooling or a recurring manual process. Many companies implement P4 in the policy but fail to build the operational deletion workflows — and discover this when an auditor asks for evidence of recent data deletions.

P5: Access / P6: Disclosure and Notification

P5.1 requires that individuals can access, correct, and delete their personal information. P5.2 requires that access requests are responded to in a timely manner. Evidence: documented data subject request (DSR) process; records of DSRs received and fulfilled during the observation period; response time metrics showing SLA compliance; technical implementation of data portability (export function) or manual data retrieval process.

P6.1 requires that personal information is disclosed only to authorized parties and for stated purposes. P6.2 requires notification to individuals and regulatory bodies in the event of a privacy breach. Evidence: data sharing agreements with third parties; sub-processor list published or available upon request; breach notification procedure in the incident response plan; evidence of how any privacy incidents during the observation period were disclosed.

P6.2 breach notification is tested against actual incidents. If your company had any data incident during the observation period, auditors will review your notification timeline and content. If you had no incidents, you still need the documented procedure — and a simulated or tabletop breach notification exercise is strong evidence that the procedure is operationally ready.

P7: Quality / P8: Monitoring and Enforcement

P7.1 requires that personal information is accurate, complete, and relevant. Evidence: data quality controls in the application (validation rules, required fields); process for correcting inaccurate information upon individual request; data accuracy metrics or audit records.

P8.1 requires that the entity monitors compliance with its privacy commitments. P8.2 requires that privacy complaints are addressed. Evidence: privacy program review cadence (annual privacy impact assessment, privacy risk register); records of privacy training completion; records of privacy complaints received and resolved; privacy audit or self-assessment records.

P8 requires an ongoing privacy program — not just written policies. An auditor testing P8.1 will ask how you know your privacy commitments are being met. The answer requires evidence of monitoring activities: quarterly reviews of third-party data sharing, annual privacy policy updates, and privacy incident tracking. Companies that have privacy policies but no privacy program will receive multiple P8 exceptions.

SOC 2 Privacy (P1–P8) and GDPR share the same conceptual foundation: notice and transparency (P1 ↔ GDPR Articles 13/14), consent and lawful basis (P2 ↔ GDPR Article 6), purpose limitation and data minimization (P3 ↔ GDPR Articles 5/6), storage limitation and disposal (P4 ↔ GDPR Article 5(e)), data subject rights (P5 ↔ GDPR Articles 15–20), breach notification (P6 ↔ GDPR Article 33), accuracy (P7 ↔ GDPR Article 5(d)), and accountability (P8 ↔ GDPR Article 5(2)).

India's Digital Personal Data Protection Act (DPDP Act) shares similar principles: notice before collection, consent requirements, purpose limitation, data retention limits, data principal (individual) rights, and breach notification. A company implementing SOC 2 Privacy will satisfy roughly 70–80% of DPDP Act operational requirements — the remaining gaps are primarily DPDP-specific requirements like localisation considerations and the Data Protection Board complaint mechanism.

For Indian SaaS companies targeting US enterprise customers, implementing SOC 2 Privacy creates a compliance infrastructure that simultaneously satisfies the privacy-related requirements of both US enterprise buyers and DPDP Act obligations. This dual-purpose compliance is one of the strongest business cases for adding Privacy to your SOC 2 scope.

Frequently Asked Questions

Is SOC 2 Privacy required for GDPR compliance?

No — GDPR is EU law with direct regulatory enforcement. SOC 2 Privacy is a voluntary audit criterion. Having SOC 2 Privacy does not constitute GDPR compliance. However, implementing SOC 2 Privacy controls creates significant overlap with GDPR operational requirements, making it easier to demonstrate GDPR compliance to EU customers and Data Protection Authorities. The two are complementary, not interchangeable.

Can B2B companies skip Privacy TSC?

Many B2B companies do skip Privacy TSC because their customers (other businesses) are the data subjects under their own privacy programs. However, if your B2B product processes the personal data of your customers' employees or end users — HR platforms, customer support tools, analytics products — those individuals are data subjects whose privacy rights are relevant to your operations, and Privacy TSC becomes applicable.

What is a data subject request and how do we handle it for SOC 2?

A data subject request (DSR) is a request from an individual to access, correct, export, or delete their personal data. For SOC 2 P5, you need a documented process for receiving, verifying, and fulfilling DSRs within a committed timeframe (typically 30 days under GDPR). Evidence includes a mechanism for submitting DSRs (email alias, web form), records of requests received, and records of fulfillment. If you received no DSRs during the observation period, having the documented process and a tested fulfillment procedure is sufficient.

Does Privacy TSC require a Data Protection Officer?

SOC 2 Privacy does not specifically require a DPO — P8 requires that someone is accountable for the privacy program, but doesn't mandate a specific title or full-time role. GDPR has specific DPO requirements for certain categories of companies. For SOC 2 purposes, a designated privacy owner (often the CTO or Head of Legal at early-stage companies) who is responsible for privacy program monitoring and complaint handling satisfies P8.

How do we handle third-party cookies for SOC 2 Privacy?

Third-party cookies and tracking technologies fall under P2 (consent) and P6 (disclosure). Your cookie consent mechanism must obtain consent before setting non-essential tracking cookies, and your privacy notice must disclose all third-party tracking. For SOC 2 evidence, you need: a cookie consent implementation (cookie banner), a record of third-party tracking technologies in use, and the legal basis for each. This is increasingly relevant as cookie compliance standards have tightened globally.