DSP-11: Personal Data Access, Reversal, Rectification and Deletion

Info icon.

Control is new to this version of the control set.

Control Statement

Define and implement, processes, procedures and technical measures to enable data subjects to request access to, modification, or deletion of their personal data, according to any applicable laws and regulations.

Implementation Guidance

The data subject should be able to access, view, rectify, or delete personal data in the system or by logging a request with the service provider. The service provider should respond to such requests in alignment with the relevant data protection laws.

Auditing Guidance

  1. Examine whether the organization's policy and procedures related to data privacy addresses the requirement that authorized users must be able to access, modify, or delete personal data. Establish whether the organization has processes in place to manage and respond to data access requests from data subjects. Establish whether the organization has documented the roles and responsibilities for this process.
  2. Select a range of data changes to confirm that only authorized users are able to successfully access, modify and delete personal data. Select a sample of data access requests to establish that these were completed correctly following the organization's processes. Confirm that all relevant evidence was formally documented.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.