1 · Purpose
This policy establishes the requirements for data subject rights policy within the CAO-300 Privacy. It gives effect, in a single harmonised instrument, to the control objectives upon which recognised standards converge for this area.
2 · Scope
This policy applies to all information, systems, services, personnel and third parties within the scope of the management system.
3 · Policy statements
3.x · CAO-320 Policy Controls
The organisation shall establish, implement and maintain a coherent and effective approach to data subject rights, giving effect to the organisational control objectives set out below.
3.1 · CAO-321 Right of Access
The organisation shall establish, implement and maintain effective Right of Access, giving effect to the organisational controls set out below.
3.1.x · CAO-321 Organisational Controls
Essential taster — a preview of the Professional depth for this high-density control area.
3.2 · CAO-322 Rectification and Erasure
The organisation shall establish, implement and maintain effective Rectification and Erasure, giving effect to the organisational controls set out below.
3.2.x · CAO-322 Organisational Controls
Essential taster — a preview of the Professional depth for this high-density control area.
3.3 · CAO-323 Restriction, Objection and Portability
The organisation shall establish, implement and maintain effective Restriction, Objection and Portability, giving effect to the organisational controls set out below.
3.3.x · CAO-323 Organisational Controls
3.4 · CAO-324 Non-Discrimination and Complaints
The organisation shall establish, implement and maintain effective Non-Discrimination and Complaints, giving effect to the organisational controls set out below.
3.4.x · CAO-324 Organisational Controls
4 · Roles & responsibilities
- Governing body — approves this policy and oversees its effectiveness.
- Executive management — allocates resources and assigns control ownership.
- Control owners — implement, operate and evidence the controls in their area.
- All personnel & third parties — comply with this policy within their role.
5 · Compliance, monitoring & review
Compliance with this policy is mandatory. This policy is reviewed at least annually, or upon significant change to the threat, regulatory or technological environment. Exceptions require documented risk acceptance by the accountable owner.
