Data Subject Rights Policy

CIAO ESSENTIAL — POLICY
C-AO/POL/CAO-320:2026 PUBLIC
Data Subject Rights Policy
CAO-300 Privacy sub-policy (CAO-320) — auto-drafted, pending panel review
Date Issued  22 June 2026
Review Date  22 June 2027
Cite as: CIAO Standard. (2026). Data Subject Rights Policy. v1.1.3.7. C-AO/POL/CAO-320:2026. www.c-ao.com

1 · Purpose

This policy establishes the requirements for data subject rights policy within the CAO-300 Privacy. It gives effect, in a single harmonised instrument, to the control objectives upon which recognised standards converge for this area.

2 · Scope

This policy applies to all information, systems, services, personnel and third parties within the scope of the management system.

3 · Policy statements

3.x · CAO-320 Policy Controls

outlinesatisfies·solidpartial·greyinforms

The organisation shall establish, implement and maintain a coherent and effective approach to data subject rights, giving effect to the organisational control objectives set out below.

CCPAGDPRHIPAAISO/IEC 27018ISO/IEC 27701NIST SP 800-53PIPEDAPOPIASOC 2 Type IIUK DPA 2018UK GDPR

3.1 · CAO-321 Right of Access

The organisation shall establish, implement and maintain effective Right of Access, giving effect to the organisational controls set out below.

CCPAGDPRHIPAAISO/IEC 27018ISO/IEC 27701NIST SP 800-53PIPEDAPOPIASOC 2 Type IIUK DPA 2018UK GDPR

3.1.x · CAO-321 Organisational Controls

Essential taster — a preview of the Professional depth for this high-density control area.

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.2 · CAO-322 Rectification and Erasure

The organisation shall establish, implement and maintain effective Rectification and Erasure, giving effect to the organisational controls set out below.

CCPAGDPRHIPAAUK GDPR

3.2.x · CAO-322 Organisational Controls

Essential taster — a preview of the Professional depth for this high-density control area.

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.3 · CAO-323 Restriction, Objection and Portability

The organisation shall establish, implement and maintain effective Restriction, Objection and Portability, giving effect to the organisational controls set out below.

GDPRUK GDPR

3.3.x · CAO-323 Organisational Controls

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.4 · CAO-324 Non-Discrimination and Complaints

The organisation shall establish, implement and maintain effective Non-Discrimination and Complaints, giving effect to the organisational controls set out below.

CCPANIST SP 800-53PIPEDA

3.4.x · CAO-324 Organisational Controls

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

4 · Roles & responsibilities

5 · Compliance, monitoring & review

Compliance with this policy is mandatory. This policy is reviewed at least annually, or upon significant change to the threat, regulatory or technological environment. Exceptions require documented risk acceptance by the accountable owner.

● LIVE CONTENT  ·  Verified 11 July 2026 at 17:37 UTC  ·  Version 1.1.3.7  ·  Always current at c-ao.com  ·  © CIAO Standard Secretariat 2026

Cite this page (APA)