Overview:
The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner.
Action Items:
1) Create a privacy notice (externally facing) and privacy policy (internally facing) and publish on the company intranet for employees to access and review.
2) Create an escalation procedure and publish on the company intranet for employees to access and review.
3) Inspect the privacy notice to determine that the privacy notice includes methods to contact the entity with inquiries, complaints, and disputes.
4) Inspect the escalation procedure policy to determine that documented escalation procedures for reporting security incidents are in place to guide employees in identifying, reporting, and acting upon system security breaches and other incidents.
5) Inspect the change control tickets for a sample of privacy incidents to determine that reported or detected incidents are tracked within the ticketing system and any necessary corrections or actions are completed to resolve the incident.
6) Inspect completed training documentation for a sample of current employees and employees hired during the review period to determine that employees are required to complete security awareness trainings upon hire, and on an annual basis thereafter, to understand their obligations and responsibilities to comply with the Company's corporate and business unit security policies for each employee sampled.
7) Inspect the internal audit results to determine that an internal audit assessing privacy controls is conducted on an annual basis.
Related Documents:
1) Privacy notice
2) Privacy policy
3) Escalation Procedure
4) Change tickets for a sample of changes
5) Completed training documentation
6) Internal audit procedure
7) Internal audit results
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Communicates to Data Subjects—Data subjects are informed about how to contact the entity with inquiries, complaints, and disputes.
2) Addresses Inquiries, Complaints, and Disputes—A process is in place to address inquiries, complaints, and disputes.
3) Documents and Communicates Dispute Resolution and Recourse—Each complaint is addressed, and the resolution is documented and communicated to the individual.
4) Documents and Reports Compliance Review Results— Compliance with objectives related to privacy are reviewed and documented, and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented.
5) Documents and Reports Instances of Noncompliance—Instances of noncompliance with objectives related to privacy are documented and reported and, if needed, corrective and disciplinary measures are taken on a timely basis.
6) Performs Ongoing Monitoring—Ongoing procedures are performed for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary.
Article ID: 276
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-communicating-to-inquiries-complaints-and-disputes-p8-1-276.html