GRCWatch
Sign inStart free trial

SOC 2 P6.7: Accounting of Personal Information Held

SOC 2 P6.7 requires your organization to maintain a complete accounting of personal information held and fulfill data subject requests for disclosure. This control demonstrates your commitment to transparency and gives individuals visibility into what data you process about them. Without proper accounting processes, you risk compliance failures and eroded customer trust.

What this means

This control mandates that your organization tracks and documents all personal information in its possession and provides that accounting to data subjects upon request. It's a transparency requirement that aligns with privacy regulations like GDPR and CCPA. Your entity must have processes to identify, catalog, and disclose personal data holdings in response to legitimate requests, supporting both regulatory compliance and privacy-by-design principles.

How to comply

  1. 1.Inventory all systems and databases that store personal information across your organization
  2. 2.Document the types of personal data collected, sources, processing purposes, and retention periods
  3. 3.Create a standardized process for receiving and responding to data subject access requests
  4. 4.Define response timelines and formats for disclosure (typically 30-45 days depending on regulations)
  5. 5.Implement controls to verify requestor identity before disclosing sensitive personal information
  6. 6.Train staff on handling data subject requests and escalation procedures
  7. 7.Maintain audit logs of all disclosures made to track accountability
  8. 8.Review and update your data accounting inventory at least annually or when systems change

Evidence auditors look for

  • Data inventory spreadsheet or catalog system documenting all personal information holdings
  • Documented data mapping showing data flows across systems and applications
  • Data subject access request (DSAR) policy and standard operating procedures
  • Templates and forms used to respond to disclosure requests
  • Audit logs showing DSAR requests received, processed, and fulfilled with dates
  • Training records confirming staff education on request handling procedures
  • Signed acknowledgments or certificates of disclosure provided to data subjects
  • Regular inventory reviews and update documentation

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates data subject request workflows and maintains a centralized audit trail of all disclosures, eliminating manual spreadsheet tracking and ensuring P6.7 compliance documentation is always current.

See how GRCWatch handles this control automatically

Start free trial

Related controls

SOC 2 P6.1 — Privacy Objectives and ResponsibilitiesSOC 2 P6.2 — Personal Information CollectionSOC 2 P6.4 — Personal Information Use, Retention, Disclosure, and DisposalSOC 2 P6.6 — Sensitive Personal Information Access