P6.3 SOC 2

SOC 2 P6.3: Privacy - Unauthorized Disclosure Notification

What This Control Requires

The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity's objectives related to privacy. The entity assesses those third parties' compliance on a periodic basis and takes corrective action as needed.

In Plain Language

Sharing personal data with a vendor does not transfer your accountability for protecting it. You are still on the hook. That is why this control focuses on getting real privacy commitments from every third party that touches personal information - and then actually checking they follow through.

In practice, you need privacy-specific clauses in every relevant vendor contract, you need vendors to implement safeguards that match your own standards, you need periodic compliance checks, and you need a process for dealing with vendors who fall short.

Auditors look at the full lifecycle here: contracts with proper privacy language, evidence of ongoing monitoring, and records showing you acted when a vendor was not meeting their commitments. The depth of oversight should match the sensitivity of the data and how critical the vendor is to your operations.

How to Implement

Include comprehensive privacy clauses in every contract with third parties who access personal information. Cover the scope and purpose of data processing, restrictions on secondary use, security requirements proportional to data sensitivity, breach notification obligations with specific timelines, data subject rights facilitation, sub-processor management, data return or destruction at contract end, and the right to audit.

Assess vendor privacy practices before you engage them. Use questionnaires, review their privacy policies, and check relevant certifications. For high-risk vendors handling large volumes of sensitive personal data, go deeper with on-site assessments or detailed technical reviews.

Set up ongoing monitoring based on vendor risk tiers. High-risk vendors get annual assessments, medium-risk biennial, and lower-risk periodic reviews. Mix your monitoring methods: vendor self-assessments, certification reviews, privacy audit report reviews, and direct assessments where warranted.

Define a corrective action process for when vendors fall short. Spell out how non-compliance gets identified, communicated, and fixed. Set remediation timelines based on severity. Your escalation options should range from increased oversight through contract penalties to termination of the relationship.

Keep a vendor privacy compliance register. Track every vendor with access to personal information, their contractual commitments, assessment status and results, any findings, and corrective action progress. This gives you a single view of your third-party privacy risk posture.

Train your procurement and vendor management teams on privacy requirements. They need to know which privacy clauses go into contracts, how to evaluate a vendor's privacy capabilities, and when to bring in the privacy team.

Evidence Your Auditor Will Request

Vendor contracts with privacy clauses covering data protection, breach notification, and compliance
Vendor privacy assessment records from initial due diligence and periodic reviews
Vendor privacy compliance register tracking all vendors with personal data access
Corrective action records for vendor privacy non-compliance findings
Procurement team training records on privacy requirements for vendor engagement

Common Mistakes

Vendor contracts lack privacy-specific clauses, relying only on generic confidentiality terms
Vendor privacy assessments are performed at onboarding but never repeated
No corrective action process for vendor privacy non-compliance, allowing issues to persist
Sub-processor management is not addressed in vendor contracts, creating blind spots
Vendor privacy compliance is not tracked centrally, preventing effective oversight

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.19	Equivalent
ISO 27001	A.5.20	Related
nist-csf	GV.SC-03	Related

Frequently Asked Questions

Do we need a DPA with every vendor?

With every vendor that processes personal information on your behalf, yes. Under GDPR Article 28, it is a legal requirement. Even outside GDPR scope, it is best practice and auditors expect it. For vendors that genuinely never touch personal information, a standard confidentiality clause is fine. Prioritise your DPA efforts based on the level of personal data access each vendor has.

How do we assess privacy compliance of large vendors who will not complete our assessments?

Big cloud providers and enterprise SaaS platforms are not going to fill in your questionnaire - that is just reality. Instead, review their publicly available certifications (SOC 2 reports, ISO 27001 certificates), check their trust centres, and evaluate the DPA they provide. You cannot force a custom assessment, but you can assess whether their standard privacy commitments genuinely meet your requirements and document that analysis.

What should we do if a vendor has a data breach involving our data?

Activate your incident response plan immediately. Your contract should require the vendor to notify you promptly - if it does not, fix that. Once notified, assess scope and impact, coordinate with the vendor on containment and investigation, determine your own notification obligations to affected individuals and regulators, and document everything. Then step back and evaluate whether the vendor's privacy controls were adequate and whether the relationship should continue on its current terms.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment