PRIV- 19 – Personal Data Corrections

What is this control about?

Implementing the control ‘Personal Data Corrections’ is important to ensure the accuracy and integrity of personal data held by an organization. Personal data corrections refer to the processes and mechanisms in place to address inaccuracies, errors, or outdated information in individuals’ personal data.

Available tools in the marketplace

Tools:

N/A no tools recommendation

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Personal Data Correction Request Form Template

Control implementation

Here are some guidelines to implement a Personal Data Correction:

• Data Correction Policy: Develop a comprehensive data correction policy that outlines the procedures, responsibilities, and timelines for handling data correction requests. This policy should be aligned with relevant data protection regulations.
• Data Correction Request Process: Establish a formal process for individuals to submit data correction requests. Provide multiple channels for submitting requests, such as an online form, email, or dedicated helpline.
• Request Verification: Verify the identity of the individuals making the data correction requests to prevent unauthorized access to personal data. Use multi-factor authentication and verification procedures to ensure the legitimacy of the requests.
• Data Correction Form: Design a standardized data correction request form that captures essential information, including the individual’s identification details, the specific data to be corrected, and the reason for the correction.
• Tracking and Logging: Implement a system to track and log all data correction requests from submission to resolution. Maintain an audit trail that records each step taken to address the request.
• Data Validation and Verification: Develop validation checks to verify the accuracy and completeness of the corrected data. This may include cross-referencing the data against reliable sources or conducting internal reviews.
• Data Correction Process: Define a clear process for handling data correction requests, including the responsibilities of each department or individual involved. Establish communication channels between relevant teams to ensure timely and accurate data corrections.
• Timely Response: Set specific timelines for responding to data correction requests. Aim to address and resolve the requests within the legally required timeframes, such as those specified in data protection regulations.
• Data Correction Documentation: Maintain proper documentation of the data correction process, including any communication with the data subjects and any changes made to the data.
• Data Subject Communication: Inform data subjects about the outcome of their data correction requests. Communicate the actions taken and any changes made to their personal data in a clear and transparent manner.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

1. Data Correction Request Forms: Copies of standardized data correction request forms used by individuals to submit their correction requests. These forms should capture essential information, such as the individual’s identification details, the specific data to be corrected, and the reason for the correction.

Evidence example

For the suggested action, an example is provided below:

1. Provide the Data Correction Request Forms

Personal Data Correction Request Form Template