P5.1 SOC 2

SOC 2 P5.1: Privacy - Access to Personal Information

What This Control Requires

The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity's objectives related to privacy.

In Plain Language

When a user asks "what data do you have on me?" - you need to be able to answer that question fully, accurately, and quickly. This is one of the most fundamental privacy rights, and regulators take it seriously.

In practice, you need a working process for handling data subject access requests (DSARs). That means verifying the requestor's identity, pulling their data from every system where it lives, packaging it in a format they can actually use, and delivering it within the legally required timeframe. Many organisations build self-service portals where users can view and export their own data, which handles the bulk of requests without manual effort.

Auditors evaluate whether you have a defined DSAR process, whether identity verification prevents data being sent to the wrong person, whether responses are comprehensive (not just data from your main database, but from all systems), whether you meet the required timelines, and whether you keep records of every request and response.

How to Implement

Define your DSAR process end to end. Cover how requests are submitted (online form, email, in-app), who handles them, how you verify identity, what data is included in the response, what format it takes, and how quickly you deliver. Document the process and train the people responsible for executing it.

Verify identity before disclosing anything. Sending personal data to the wrong person is a breach, not a compliance win. For existing users, account authentication usually suffices. For non-account requests, use government-issued ID verification or knowledge-based authentication. Scale the verification to the sensitivity of the data.

Build the ability to compile data across all systems. You need a comprehensive data map and the technical capability to query across databases, analytics systems, CRM tools, email, and third-party services. For organisations receiving a high volume of requests, invest in automated export tooling that generates a complete package on demand.

Deliver data in a usable format. Structured exports (JSON, CSV), PDF reports, or secure online portals all work. Under GDPR, if the user asks for machine-readable format, you must provide it. Organise the output so the person can actually understand what they are looking at - a raw database dump is technically compliant but not helpful.

Build self-service access wherever possible. Let authenticated users view and download their personal data through account settings or a privacy dashboard. This satisfies most access requests without manual processing, improves user experience, and shows transparency. Keep a manual process available for data that does not appear in the self-service view.

Track every request. Log when it was received, how identity was verified, what data was provided, the response timeline, and any exceptions or redactions. This log is your primary evidence for auditors and helps you spot process bottlenecks.

Evidence Your Auditor Will Request

Data subject access request process documentation with submission channels and timelines
Identity verification procedures for access requests preventing unauthorized disclosure
Data compilation capabilities documentation showing ability to gather data across all systems
Sample access request responses demonstrating comprehensive and usable data provision
Access request tracking log showing requests received, processed, and completed within timelines

Common Mistakes

No formal process for handling data subject access requests
Identity verification is insufficient, risking disclosure of personal data to unauthorized parties
Access responses are incomplete, missing data from some systems where personal information is stored
Access requests are not fulfilled within required timeframes due to manual, inefficient processes
No tracking of access requests, preventing demonstration of compliance and trend analysis

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.34	Partial overlap
nist-csf	GV.PO-01	Partial overlap

Frequently Asked Questions

Can we charge a fee for access requests?

Under GDPR, the first copy is free. You can charge a reasonable fee for additional copies or for requests that are manifestly unfounded or excessive. Under CCPA, the first request within a 12-month period must be free. In practice, most organisations provide access at no charge regardless - it keeps customer relations smooth and avoids debates about what constitutes "excessive."

What data must be included in an access response?

Everything you hold about the individual. That includes data they gave you directly, data collected automatically, data you inferred or derived, and data obtained from third parties. Under GDPR, you also need to include the purposes of processing, categories of recipients, retention periods, and information about their rights. The goal is giving the person a complete picture of what you know about them.

How do we handle access requests that would reveal another person's information?

Redact the other person's data. If the requested information is intertwined with someone else's data - say, in a conversation or shared record - provide the requestor's data while stripping out the other person's identifiers and personal details. Document what you redacted and why. The right of access never extends to other people's personal information.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment