P6.7 SOC 2

SOC 2 P6.7: Privacy - Dispute Resolution and Complaint Handling

What This Control Requires

The entity provides a process for data subjects to dispute the accuracy or completeness of their personal information and to have that information corrected, amended, or deleted. A formal complaint handling process is maintained and communicated to data subjects.

In Plain Language

People need a way to tell you when something is wrong with how you handle their data - and you need a proper process for actually dealing with it. Without a formal complaint mechanism, privacy concerns get lost in support tickets, email inboxes, or worse, social media posts that attract regulator attention.

You need a clear intake mechanism, someone responsible for investigating complaints, defined resolution timeframes, an escalation path for unresolved issues, and records of everything. The complaint process itself must be visible to data subjects - burying it in the fine print of your privacy notice defeats the purpose.

Auditors look at whether the process exists, whether people can actually find it, whether complaints are investigated and resolved within reasonable timeframes, and whether you analyse complaint data for patterns that point to systemic problems.

How to Implement

Set up clear intake channels for privacy complaints. Offer multiple options: a dedicated email address (privacy@company.com), an online complaint form, phone support, and postal mail. Make these channels easy to find in your privacy notice and across your digital properties.

Define the complaint workflow. Acknowledge receipt within 3-5 business days. Assign each complaint to a qualified investigator, typically on the privacy team. Investigate, gather the relevant facts, determine the right resolution, and communicate it back to the complainant along with information about further recourse if they disagree.

Set resolution timeframes and stick to them. Aim for acknowledgment within 3-5 business days and investigation completion within 30 days for standard complaints. When a complaint is complex, let the complainant know about the extended timeline upfront. Make sure your timeframes align with any applicable regulatory requirements.

Build in escalation and appeal paths. If someone is not satisfied with the initial resolution, give them a route to senior management or the privacy officer. Under GDPR, inform them of their right to complain to a supervisory authority. Document these options clearly in your complaint handling procedure.

Keep thorough records. For each complaint, capture the date received, contact information, nature of the complaint, investigation steps, resolution, resolution date, and any follow-up actions. Retain these for at least as long as your regulatory obligations require.

Review complaint data regularly for trends. Look at volumes, types, and resolution outcomes. Recurring themes often point to systemic privacy issues that need addressing at the root. Use this data to drive privacy programme improvements, policy updates, and targeted training.

Evidence Your Auditor Will Request

Privacy complaint handling process documentation with intake channels and workflows
Communication of complaint process to data subjects in privacy notice and other channels
Complaint records showing investigation, resolution, and communication for received complaints
Resolution timeline tracking showing compliance with defined timeframes
Complaint trend analysis reports used to identify systemic privacy issues

Common Mistakes

No formal complaint handling process exists, leading to ad hoc responses to privacy concerns
Complaint mechanism is not communicated to data subjects, preventing them from knowing how to raise concerns
Complaints are received but not investigated or resolved in a timely manner
No escalation mechanism exists for complainants who are not satisfied with the initial resolution
Complaint data is not analyzed for trends, missing opportunities to address systemic issues

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.34	Partial overlap
nist-csf	GV.PO-01	Partial overlap

Frequently Asked Questions

How should we handle complaints from non-customers?

Your complaint process needs to be open to anyone whose personal information you process, not just paying customers. That includes former customers, website visitors, job applicants, and people whose data you received from third parties. Verify their identity appropriately for the relationship and investigate every complaint regardless of who filed it. Turning away a non-customer complaint is a fast track to a regulatory finding.

Do we need a dedicated Data Protection Officer (DPO)?

Under GDPR, a DPO is mandatory for public authorities, organisations doing large-scale systematic monitoring, and those processing large volumes of special category data. If you do not fall into those categories, it is not legally required - but having a designated privacy lead who owns complaint handling and compliance is strongly recommended. In smaller organisations, this can be combined with other responsibilities, as long as the person has genuine authority and bandwidth.

What if a complaint reveals a broader privacy issue?

That is actually a gift - treat it as one. Investigate beyond the individual complaint to understand the full scope. Determine how many people are affected, fix the root cause, and proactively notify other impacted individuals if warranted. Document the systemic issue and your remediation steps. Then use the finding to update your privacy risk assessment and strengthen your controls. Auditors love seeing evidence that complaints drove real improvements.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment