What does control A.1.3.7 require?
The organisation shall implement policies, procedures or mechanisms to meet its obligations to PII principals to access, correct or erase their PII.
This control sits within the Obligations to PII principals objective (A.1.3). While A.1.3.2 identifies what obligations exist, A.1.3.7 requires you to build the actual operational mechanisms that fulfil three of the most frequently exercised data subject rights: access, rectification and erasure.
What does the implementation guidance say?
Annex B (section B.1.3.7) provides guidance on implementing each of the three rights:
Right of access
- Provide PII principals with the ability to access the PII held about them
- Include supplementary information such as the purposes of processing, categories of data, recipients, retention periods and the source of the data
- Verify the identity of the requester before disclosing any PII
Right to correction (rectification)
- Allow PII principals to have inaccurate PII corrected without undue delay
- Provide a mechanism for completing incomplete PII, taking into account the purposes of processing
- Where the correction affects data shared with third parties, notify those parties (see A.1.3.8)
Right to erasure
- Erase PII where it is no longer necessary for the stated purpose
- Erase PII where consent has been withdrawn and no other lawful basis applies (see A.1.3.5)
- Erase PII where the individual has objected and there are no overriding legitimate grounds (see A.1.3.6)
- Erase PII that has been unlawfully processed
- Document timeframes for responding to each type of request
The guidance also emphasises the importance of identity verification before acting on any request, to prevent unauthorised access or manipulation of PII.
How does this map to GDPR?
Control A.1.3.7 maps to several key GDPR provisions:
- Article 5(1)(d) — Accuracy principle: personal data shall be accurate and kept up to date
- Article 16 — Right to rectification
- Article 17(1)(a-f) — Right to erasure (right to be forgotten), including the six grounds on which erasure must be carried out
- Article 17(2) — Obligation to inform other controllers of erasure requests where data has been made public
- Article 13(2)(b) and 14(2)(c) — Obligation to inform data subjects of their rights to access, rectification and erasure
Access requests (subject access requests or SARs) are consistently the most common type of data subject request across all jurisdictions. Organisations should expect to handle these regularly and should have efficient processes in place.
How does this relate to ISO 29100 privacy principles?
This control supports the Individual participation and access principle from ISO 29100. This principle requires that PII principals have the ability to access their data, challenge its accuracy, and have it amended or deleted where appropriate. A.1.3.7 is the primary implementation control for this principle.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.1.3.7, auditors will typically look for:
- Data subject request policy — A comprehensive policy covering access, rectification and erasure procedures, including roles, responsibilities and timeframes
- Request intake mechanism — A documented, accessible process for receiving requests (online form, email, in-person)
- Identity verification procedures — Documented steps for verifying the identity of requesters before acting, proportionate to the sensitivity of the data
- Response templates — Standardised templates for acknowledging, fulfilling and refusing requests, with legally sound language
- Request log — A register of all requests received, with dates, types, decisions and completion dates demonstrating compliance with timeframes
- Exemption documentation — Where requests are refused (in whole or part), documented reasoning citing the applicable exemption
- System capability — Evidence that systems can locate, extract, correct and delete PII across all relevant data stores
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.3.9 Providing copy of PII processed | Extends the access right with specific requirements for format and portability |
| A.1.3.10 Handling requests | Provides the operational framework for managing all PII principal requests |
| A.1.3.8 Obligations to inform third parties | When correction or erasure is carried out, third parties must be notified |
| A.1.3.5 Modify or withdraw consent | Consent withdrawal may trigger erasure obligations under A.1.3.7 |
| A.1.3.6 Object to PII processing | Upheld objections may trigger erasure obligations under A.1.3.7 |
| A.1.2.9 Records related to processing PII | Processing records help locate all relevant PII when fulfilling access or erasure requests |
What changed from ISO 27701:2019?
In the 2019 edition, these rights were covered across Clauses 7.3.6 (Access, correction and/or erasure). The 2025 edition consolidates these under A.1.3.7 with expanded guidance in B.1.3.7. The core requirements are substantively the same, but the 2025 format provides clearer structure for auditing. The addition of A.1.3.9 (providing a copy) as a separate control also sharpens the distinction between access and portability. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for managing access, correction and erasure?
ISMS.online provides end-to-end support for the most operationally demanding data subject rights:
- Data subject request portal — A branded intake form that captures the request type, verifies identity and automatically logs the request with deadline tracking
- Workflow engine — Route requests to the right teams with automated task assignments, escalations and deadline reminders so nothing falls through the cracks
- Data mapping integration — Connect to your data inventory to quickly identify all systems holding the requester’s PII, reducing search time for access and erasure requests
- Exemption management — Structured templates for documenting and justifying any exemptions applied, creating a defensible record for regulators
- Performance reporting — Dashboard showing request volumes, response times, completion rates and trends, helping you identify bottlenecks before they become compliance issues
- Third-party notification — When corrections or erasures are completed, trigger notifications to third parties per A.1.3.8
FAQs
How should you verify identity before fulfilling a request?
Verification should be proportionate to the sensitivity of the data and the risk of disclosure to the wrong person. For existing customers, you might verify identity through their account credentials. For others, you might request a copy of photo ID or ask them to confirm details that only they would know. The key is to be confident of the requester’s identity without creating an excessive burden that discourages people from exercising their rights.
Are there grounds for refusing an erasure request?
Yes. The right to erasure is not absolute. Common exemptions include processing necessary for compliance with a legal obligation, exercise of official authority, reasons of public health, archiving in the public interest, and the establishment, exercise or defence of legal claims. Each refusal must be documented with the specific exemption relied upon, and the PII principal must be informed of the refusal and their right to complain to a supervisory authority.
What timeframe applies for responding to requests?
Under GDPR, the deadline is one month from receipt of the request. This can be extended by a further two months for complex or numerous requests, provided the PII principal is informed within the first month. Other jurisdictions may specify different timeframes. Regardless of the legal minimum, organisations should document their target response times and track performance against them. Consistently meeting shorter internal targets demonstrates strong operational capability to auditors.
