SOC 2
Privacy Additional Criteria for Privacy
P2.1
The entity communicates choices available regarding the collection use retention disclosure and disposal of personal information to the data subjects and the consequences if any of each choice. Explicit consent for the collection use retention disclosure and disposal of personal information is obtained from data subjects or other authorized persons if required. Such consent is obtained only for the intended purpose of the information to meet the entity?s objectives related to privacy. The entity?s basis for determining implicit consent for the collection use retention disclosure and disposal of personal information is documented.
Communicates to Data Subjects—Data subjects are informed (a) about the choices available to them with respect to the collection use and disclosure of personal information and (b) that implicit or explicit consent is required to collect use and disclose personal information unless a law or regulation specifically requires or allows otherwise.Communicates Consequences of Denying or Withdrawing Consent—When personal information is collected data subjects are informed of the consequences of refusing to provide personal information or denying or withdrawing consent to use personal information for purposes identified in the notice.Obtains Implicit or Explicit Consent—Implicit or explicit consent is obtained from data subjects at or before the time personal information is collected or soon thereafter. The individual’s preferences expressed in his or her consent are confirmed and implemented.Documents and Obtains Consent for New Purposes and Uses—If information that was previously collected is to be used for purposes not previously identified in the privacy notice the new purpose is documented the data subject is notified and implicit or explicit consent is obtained prior to such new use or purpose.Obtains Explicit Consent for Sensitive Information—Explicit consent is obtained directly from the data subject when sensitive personal information is collected used or disclosed unless a law or regulation specifically requires otherwise.Obtains Consent for Data Transfers—Consent is obtained before personal information is transferred to or from an individual’s computer or other similar device.
Click here to Start your FREE trial today!
What is a Cybersecurity Compliance Framework?
You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.
With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.
The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:
- CMMC v2
- HIPAA
- NERC CIP-002 through CIP-014 Revision 6
- NIST 800-171
- NIST 800-172
- PCI (Payment Card Industry Security Standard)
- SOC 2
- NIST 800-53
- NIST SP800-161 Supply Chain Risk Management
- NIST-CSF
- CIS Framework Controls V8
Click here to Start your FREE trial today!