SOC 2 Responding to Personal Information Requests (P6.7)

Overview:
The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects’ personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy.

Action Items:
1) Create a privacy notice (externally facing) and privacy policy (internally facing) and publish on the company intranet for employees to access and review.
2) Inquire of the senior compliance manager, or equivalent, regarding a disclosure log to determine that the company maintains a disclosure log to record all requests of disclosure of personal information.
3) Inspect the privacy notice to determine that the company provides the means to contact the compliance team to delete, limit the use of, or request an accounting of disclosure for personal data.
4) Inspect a sample of security tickets to determine that requests from the participants for accounting and disclosure of personal information are recorded and tracked to ensure that the requests are completed consistent with the privacy commitments and requirements.

Related Documents:
1) Privacy notice
2) Privacy policy
3) Sample of recent security incident tickets
4) Disclosure log for all requests of disclosure of personal information

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:

1) Identifies Types of Personal Information and Handling Process—The types of personal information and sensitive personal information and the related processes, systems, and third parties involved in the handling of such information are identified.
2) Captures, Identifies, and Communicates Requests for Information—Requests for an accounting of personal information held and disclosures of the data subjects' personal information are captured, and information related to the requests is identified and communicated to data subjects to meet the entity's objectives related to privacy.