GASP: AICF

Search controls

Search by control ID, name or domain

DAT-020 Accuracy of Personal Data

Tier 2+

Description

Processes exist to ensure that personal data held is accurate and, where necessary, kept up to date. Inaccurate data is corrected or deleted without delay. Users or data subjects have mechanisms to update their own data, and accuracy is considered when designing data collection pipelines.

Rationale

Inaccurate data can cause material harm to individuals (e.g. incorrect AI decisions). GDPR requires accuracy as a data quality principle and backs it with an enforceable right to rectification.

Framework Mappings (3)

GDPR 2018
GDPR-Art.16Right to Rectificationpartial
GDPR-Art.5.1dAccuracy of Personal Datafull
NIST SP 800-53 Rev 5
SI-12Information Management and Retentionpartial

Evidence (2)

recordmanual

Rectification request log and data correction records showing that inaccurate personal data is corrected promptly upon request or detection.

Example: DSR tracker entries for rectification requests (Jira / OneTrust) from the last 12 months — each showing: request date, data corrected (field/system), completion date, confirmation sent to data subject, and systems updated (primary DB, backups, downstream systems)

Test: Request the rectification request log. Verify: (1) all rectification requests were actioned within 30 days, (2) corrections were applied to all systems holding the inaccurate data (not just the primary record), (3) data subjects received confirmation of correction, (4) no requests were refused without documented legal justification.

configurationmanual

User-facing account or profile settings demonstrating that users can update their own personal data directly in the product without requiring a formal request.

Example: Product UI screenshot or user settings documentation showing self-service edit capability for core personal data fields (name, email, address, contact details) in the user's account settings page

Test: Access the product as a standard user. Verify: (1) the account/profile settings page allows users to edit their own core personal data fields directly, (2) changes are reflected in the system immediately or within a stated processing period, (3) the user receives confirmation of changes, (4) the self-service mechanism is linked from or referenced in the privacy notice.

Questions (2)

boolean

Does your organisation have processes to ensure that personal data held is accurate and up to date, including a mechanism for data subjects to correct their own information?

Users should be able to update their own core personal data fields (name, email, contact details) directly in the product without requiring a formal request. Corrections should propagate to all systems holding the inaccurate record.

multi

How are inaccurate personal data records identified and corrected?

Users can update their own personal data via self-service account or profile settingsA formal data subject rectification request process is in place (tracked and responded to within 30 days)Automated data quality checks flag anomalies or stale records for reviewData pipelines include validation rules that prevent obviously inaccurate data from being storedCorrections are applied manually on an ad hoc basis without a tracked process

Self-service correction capability alongside a formal rectification request process provides the strongest coverage. Corrections must propagate to all systems (primary database, downstream systems, backups where applicable) to be effective.