GRCWatch
Sign inStart free trial

SOC 2 P6.2: Create & Maintain Records of Authorized Disclosures

SOC 2 P6.2 requires you to maintain complete, accurate, and timely records of every authorized disclosure of personal information. Without proper documentation, you cannot demonstrate to auditors that disclosures were legitimate and met your privacy objectives. This control closes the gap between what you intended to share and what actually left your systems.

What this means

P6.2 mandates that your organization document every instance when personal information is disclosed to authorized parties. This includes recording who received the data, what data was shared, when it was shared, and the business justification for the disclosure. These records must be accurate, complete, and retained for the duration required by your privacy policies and applicable regulations. The goal is to provide an auditable trail that proves all disclosures align with privacy commitments and entity objectives.

How to comply

  1. 1.Establish a centralized disclosure logging system that captures all authorized personal information transfers
  2. 2.Record at minimum: recipient identity, data categories disclosed, disclosure date/time, and authorization basis
  3. 3.Define retention periods for disclosure records based on regulatory requirements and privacy policies
  4. 4.Implement automated logging for system-initiated disclosures and manual entry controls for manual disclosures
  5. 5.Conduct quarterly reviews of disclosure records to verify accuracy and identify unauthorized or erroneous transfers
  6. 6.Train personnel on disclosure documentation requirements and approval workflows
  7. 7.Create audit reports from disclosure records to demonstrate compliance during SOC 2 assessments

Evidence auditors look for

  • Disclosure log showing recipient name, date, time, data elements, and authorization reference
  • Data processing agreements documenting authorized disclosure purposes
  • API access logs showing third-party integrations and data transfers
  • Email audit trails documenting personal data shared with customers or vendors
  • Policy documentation defining who is authorized to approve disclosures
  • Quarterly disclosure audit reports with remediation documentation for any exceptions
  • Privacy notice or policy references cited as authorization basis for each disclosure

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch's automated disclosure logging captures all authorized data transfers across systems and generates audit-ready SOC 2 P6.2 reports without manual spreadsheets.

See how GRCWatch handles this control automatically

Start free trial

Related controls

P6.1 — Confidentiality, Privacy, and Restricted or Confidential InformationP7.1 — Personal Information CollectionA1.1 — Governance and Oversight