PRIV- 20 – Consent and Disclosure Tracking

Estimated reading: 4 minutes 648 views

What is this control about?

Implementing the control ‘Consent and Disclosure Tracking’ is crucial for organizations that handle personal data because it ensures compliance with data protection regulations and helps build trust with individuals whose data is being collected and processed.

Available tools in the marketplace


Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

  • N/A – No recommendations

Control implementation

Here are some guidelines to implement a Personal Data Correction:

  • Identify Applicable Laws and Regulations: Begin by understanding the data protection and privacy laws and regulations that are applicable to your organization, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). These laws will outline the requirements for obtaining and managing consent for data processing activities.
  • Define Data Collection and Processing Purposes: Work with the data owners and stakeholders to clearly define the specific purposes for which personal data is collected and processed. Document these purposes in a data inventory or data mapping exercise.
  • Determine Consent Requirements: Review the legal requirements to determine when and how consent should be obtained from data subjects. Consent may be required for specific processing activities or for processing personal data for different purposes.
  • Select a Consent Management Tool: Choose an appropriate consent management platform or software tool that aligns with your organization’s needs and compliance requirements. Ensure that the tool allows you to capture and record explicit consent, manage consent preferences, and maintain an audit trail.
  • Create Clear Consent Language: Develop clear and easily understandable consent language that informs data subjects about the purposes of data processing and their rights. Avoid using complex legal jargon and ensure that the language is user-friendly.
  • Implement Consent Collection Mechanisms: Integrate the consent management tool with your organization’s website, mobile applications, or other data collection touchpoints. Implement consent collection mechanisms, such as pop-up banners or checkboxes, to gather explicit consent from data subjects.
  • Record and Store Consent Data: Ensure that all obtained consents are properly recorded and stored in a secure and centralized database. Include relevant details such as the date and time of consent, the specific purposes of processing, and the version of the consent language presented to the data subject.
  • Update Consent Preferences: Provide data subjects with a user-friendly preference center where they can review and update their consent preferences at any time. Make it easy for individuals to withdraw their consent if they choose to do so.
  • Monitor Consent Expiry and Renewal: Regularly review and track the validity period of consent obtained. Set up notifications to prompt data subjects to renew their consent when it is about to expire.
  • Conduct Regular Audits: Regularly audit the consent management process to ensure compliance with data protection laws and regulations. Verify that consent data is accurate, up-to-date, and accessible for audit purposes.
  • Train Employees and Raise Awareness: Conduct training sessions for employees involved in collecting and managing consent. Raise awareness about the importance of obtaining valid consent and adhering to the organization’s consent management policies.
  • Perform Periodic Reviews and Improvements: Continuously review the effectiveness of the consent and disclosure tracking process. Make improvements based on feedback, changes in regulations, and lessons learned from previous audits.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

  1. Consent Management Tool Documentation:

Provide configuration of the consent management platform showing how the tool facilitates the collection, recording, and tracking of consent from data subjects.

      2. Consent Records:

Provide detailed records of obtained consent from data subjects

Evidence example

For the suggested action, an example is provided below:

  • Consent Management Tool Documentation

PRIV 20 1

  • Consent Records

PRIV 20 2

Join the conversation

You might also be interested in

Documentation Templates

Documentation Templates are documents that provide a content outline to meet certain documentation needs....

Data Backup Plan Template

The Data Backup Plan template helps you document in detail the data backup needs...

HR-13 Employee Handbook/Code of Conduct

HR-13 Employee Handbook or Code of Conduct communicates the organization’s values and ethics. It...

AUTH-1 Single Sign On (SSO)

Single Sign On (SSO) Control is a best practice recommendation for critical systems....

Security Incident Report Template

The Security Incident Report template helps you document the steps used to assess and...

BIZOPS-6 Disaster Recovery Testing

BIZOPS-6 Disaster Recovery Testing control refers to the exercise of identifying the critical systems...

PDP-10 SDLC – Separation of environments

PDP-10 SDLC Separation of Environments is important to maintain separate environments to develop, test,...

Privacy Committee Charter Template

Privacy Committee Charter serves as a foundational document, establishing the framework for the committee's...