PRI-06.4: User Feedback Management
Mechanisms exist to maintain a process to efficiently and effectively respond to requests, complaints, concerns or questions from authenticated data subjects about Personal Data (PD) the organization collects, receives, processes, stores, transmits, shares, updates and/or disposes.
Control Question: Does the organization maintain a process to efficiently and effectively respond to requests, complaints, concerns or questions from authenticated data subjects about Personal Data (PD) the organization collects, receives, processes, stores, transmits, shares, updates and/or disposes?
General (13)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | P4.3-POF1 P5.1 P5.1-POF4 P5.1-POF5 P5.2 P5.2-POF1 P5.2-POF3 P5.2-POF4 P6.7-POF2 P8.1 P8.1-POF1 P8.1-POF2 P8.1-POF3 |
| Generally Accepted Privacy Principles (GAPP) | 6.2.5 6.2.6 7.1.2 10.2.1 10.2.2 |
| ISO 29100 2024 | 6.10 |
| NIST Privacy Framework 1.0 | GV.MT-P4 GV.MT-P7 CM.AW-P2 CT.PO-P4 |
| NIST 800-53 R4 | IP-4 IP-4(1) |
| NIST 800-53 R5 (source) | PM-26 |
| NIST 800-53B R5 (privacy) (source) | PM-26 |
| NIST 800-161 R1 | PM-26 |
| NIST 800-161 R1 Level 2 | PM-26 |
| NIST 800-161 R1 Level 3 | PM-26 |
| OECD Privacy Principles | 7(b)(i) 7(b)(ii) 7(b)(iii) 7(c) 7(d) |
| TISAX ISA 6 | 9.6.1 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | PRI-06.4 |
US (12)
| Framework | Mapping Values |
|---|---|
| US CERT RMM 1.2 | OPD:SG1.SP1 |
| US CMS MARS-E 2.0 | IP-4 IP-4(1) |
| US Data Privacy Framework (DPF) | II.7.a.i III.11.d.i III.8.i.i |
| US FIPPS | 6 |
| US HIPAA Administrative Simplification 2013 (source) | 164.526(b)(2)(i) 164.526(b)(2)(i)(A) 164.526(b)(2)(i)(B) 164.526(b)(2)(ii) 164.526(b)(2)(ii)(A) 164.526(b)(2)(ii)(B) 164.526(d) 164.526(d)(1) 164.526(d)(1)(i) 164.526(d)(1)(ii) 164.526(d)(1)(iii) 164.526(d)(1)(iv) 164.526(d)(2) 164.526(d)(3) 164.526(d)(4) 164.526(d)(5)(i) 164.526(d)(5)(ii) 164.526(d)(5)(iii) 164.526(e) 164.526(f) 164.530(d)(1) 164.530(d)(2) |
| US - CA CCPA 2025 | 7021(a) 7021(b) 7022(e) 7022(f) 7022(f)(1) 7023(a) 7023(d)(2)(A) 7023(d)(2)(B) 7023(d)(2)(C) 7023(d)(2)(D) 7023(f)(1) 7023(f)(2) 7023(f)(3) 7023(f)(4) 7023(i) 7023(j) 7023(k) 7024(c) 7024(c)(1) 7024(c)(2) 7024(c)(3) 7024(c)(4) 7024(d) 7024(d)(1) 7024(d)(2) 7024(e) 7024(e)(1) 7024(e)(2) 7024(k) 7024(k)(1) 7024(k)(2) 7024(k)(3) 7024(k)(4) 7024(k)(5) 7024(k)(6) 7027(h) 7027(k) |
| US - CO Colorado Privacy Act | 6-1-1306(2)(a) 6-1-1306(2)(b) 6-1-1306(2)(c) 6-1-1306(2)(d) |
| US - NV SB220 | 2.1 2.2 2.4 |
| US - OR CPA | 4(5)(a) 4(5)(b) 4(5)(c) 4(5)(d) 4(5)(e) 4(5)(e)(A) 4(5)(e)(B) 4(6)(b) 4(6)(c) 4(6)(d) 5(5)(a)(A) 5(5)(a)(B) 5(5)(a)(C) 5(5)(b) 5(5)(b) |
| US - TN TIPA | 47-18-3203(b)(1) 47-18-3203(b)(2) 47-18-3203(b)(3) 47-18-3203(b)(4) 47-18-3204(e)(1)(A) 47-18-3204(e)(1)(B) 47-18-3204(e)(1)(C) 47-18-3204(e)(2) 47-18-3207(b)(3) 47-18-3207(b)(3)(A) 47-18-3207(b)(3)(B) 47-18-3207(b)(3)(C) |
| US - TX CDPA | 541.051(b)(1) 541.052(b) 541.052(c) 541.052(d) 541.053(c) 541.053(d) 541.055(a)(2) 541.055(a)(3) 541.055(b) |
| US - VA CDPA 2025 | 59.1-577.B.1 59.1-577.B.2 59.1-577.B.3 59.1-577.B.4 59.1-577.C |
EMEA (8)
| Framework | Mapping Values |
|---|---|
| EMEA EU GDPR (source) | 12.4 |
| EMEA Hungary | 14 15 17 |
| EMEA Italy | 9 |
| EMEA Kenya DPA 2019 | 40(1)(b) |
| EMEA Nigeria DPR 2019 | 2.8 2.8(a) 2.8(b) 3.1(2) 3.1(4) 3.1(5) 3.1(11)(a) 3.1(11)(b) 3.1(11)(c) 3.1(11)(d) 3.1(13) |
| EMEA Qatar PDPPL | 5.3 5.4 6.3 |
| EMEA Serbia 87/2018 | 21 21.1 21.2 22 22.1 22.2 23 23.x 24 24.x 25 25.x 26 26.1 26.2 26.3 26.4 26.5 26.6 26.7 26.8 27.1 27.2 27.3 27.4 27.5 27.6 27.7 |
| EMEA Spain 1720/2007 | 26 |
APAC (6)
| Framework | Mapping Values |
|---|---|
| APAC Australia Privacy Act | APP Part 13 |
| APAC Australian Privacy Principles | APP 12 APP 13 |
| APAC China Cybersecurity Law | 43 |
| APAC China Privacy Law | 45 46 50 |
| APAC Japan APPI | 27(3) 28(2) 28(2)(i) 28(2)(ii) 28(2)(iii) 28(3) 28(4) 28(5) 31 32(1) 32(2) 32(3) 32(4) |
| APAC South Korea | 37 |
Americas (6)
| Framework | Mapping Values |
|---|---|
| Americas Argentina Reg 132-2018 | 16.2 16.6 |
| Americas Bahamas | 11 |
| Americas Brazil LGPD | 18 19 21 |
| Americas Colombia | 12 15 |
| Americas Mexico | 30 |
| Americas Peru | 10 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to maintain a process to efficiently and effectively respond to requests, complaints, concerns or questions from authenticated data subjects about Personal Data (PD) the organization collects, receives, processes, stores, transmits, shares, updates and/or disposes.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to maintain a process to maintain a process to efficiently and effectively respond to requests, complaints, concerns or questions from authenticated data subjects about Personal Data (PD) the organization collects, receives, processes, stores, transmits, shares, updates and/or disposes.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to maintain a process to maintain a process to efficiently and effectively respond to requests, complaints, concerns or questions from authenticated data subjects about Personal Data (PD) the organization collects, receives, processes, stores, transmits, shares, updates and/or disposes.
Level 3 — Well Defined
Privacy (PRI) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- A Chief Privacy Officer (CPO), or similar function with technical competence to address data privacy concerns, analyzes the organization's business strategy to develop and publish authoritative guidance on the organization's data privacy program.
- A Privacy program, run by a CPO, or similar role, ensures that applicable statutory, regulatory and contractual data privacy obligations are properly identified and implemented to limit and secure Personal Data (PD) that the organization stores, transmits and processes.
- As part of the organization's data privacy program, the CPO publishes a clear set of “data privacy principles”, based on leading data privacy practices, that systems, applications, services, processes and third-parties must adhere to.
- A Project Management Office (PMO), or project management function, ensures both cybersecurity and data privacy principles are identified and implemented within ongoing or planned projects.
- The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy to determine prioritized and authoritative guidance for cybersecurity-related data privacy practices.
- The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the enterprise for cybersecurity-related data privacy practices.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to data privacy.
- A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program.
- Data/process owners operationalize data privacy controls into the processes they control.
- Third-party contracts included data protection requirements, including flow-down requirements to subcontractors.
- Data Protection Officers (DPOs) are assigned to work closely with business units and project teams to ensure data privacy principles are being implemented.
- CPO and DPO determine and document the legal authority that permits the collection, use, maintenance and sharing of PD, either generally or in support of a specific program or system need.
Level 4 — Quantitatively Controlled
Privacy (PRI) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to maintain a process to maintain a process to efficiently and effectively respond to requests, complaints, concerns or questions from authenticated data subjects about Personal Data (PD) the organization collects, receives, processes, stores, transmits, shares, updates and/or disposes.
Assessment Objectives
- PRI-06.4_A01 the time period in which complaints (including concerns or questions) from individuals are to be reviewed and acknowledging is defined.
- PRI-06.4_A02 the time period in which complaints (including concerns or questions) from individuals are to be addressed is defined.
- PRI-06.4_A03 the time period for acknowledging the receipt of complaints is defined.
- PRI-06.4_A04 the time period for responding to complaints is defined.
- PRI-06.4_A05 a process for receiving & acknowledging complaints, concerns or questions from individuals about organizational cybersecurity / data privacy practices is implemented.
- PRI-06.4_A06 a process for responding to complaints, concerns or questions from individuals about organizational cybersecurity / data privacy practices is implemented.
- PRI-06.4_A07 the complaint management process includes mechanisms that are easy to use by the public.
- PRI-06.4_A08 the complaint management process includes mechanisms that are readily accessible by the public.
- PRI-06.4_A09 the complaint management process includes all information necessary for successfully filing complaints.
- PRI-06.4_A10 the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within an organization-defined time period.
- PRI-06.4_A11 the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within an organization-defined time period.
- PRI-06.4_A12 the complaint management process includes acknowledging the receipt of complaints, concerns or questions from individuals within an organization-defined time period.
- PRI-06.4_A13 the complaint management process includes responding to complaints, concerns or questions from individuals within an organization-defined time period.
Technology Recommendations
Micro/Small
- Data classification program
- Data privacy program
- Data Protection Impact Assessment (DPIA)
- Product / project management
Small
- Data classification program
- Data privacy program
- Data Protection Impact Assessment (DPIA)
- Product / project management
Medium
- Data classification program
- Data privacy program
- Data Protection Impact Assessment (DPIA)
- Product / project management
Large
- Data classification program
- Data privacy program
- Data Protection Impact Assessment (DPIA)
- Product / project management
Enterprise
- Data classification program
- Data privacy program
- Data Protection Impact Assessment (DPIA)
- Product / project management