Frequently asked questions to help your business

• What is the legal framework of Revoke’s SARs?

Revoke is designed to provide robust identity verification and a secure and efficient communication channel between a company and consumers to manage Subject Access Requests (SARs) and other rights afforded to them under the GDPR and CCPA. Revoke will extend its services to include users and businesses in other jurisdictions as new consumer privacy laws are passed.

• Which countries is Revoke for businesses available in?

Revoke is currently available to businesses with a registered head office or physical presence within the European Economic Area (EEA), the United Kingdom and California (United States of America). If your country is not currently included, please register here and one of our customer support team will contact you.

• How does Revoke demonstrate it has authority to act on behalf of its users?

Prior to sending any requests, our users must verify their email address and digitally sign an “authorisation letter”; this evidences a contractual agreement between Revoke and the user. Some companies require additional types of information such as the users’ phone number and nationally issued photo ID using biometric technology; companies have the option to request additional information through Revoke’s secure channels.

• What type of data requests does Revoke send on behalf of its users?

Companies will receive one of 3 types of requests from Revoke users; either “Stop Marketing”, “Get Data” or “Delete Data”.  The email request will clearly identify what type of request you have received; each request is prefixed by a 3-letter shortcode which corresponds to a specific type of request, for example, the prefix STO – refers to Stop Marketing.

In addition, consumers and businesses which comply with CCPA can send “Stop Sharing” requests.

TYPE OF REQUEST REFERENCE PREFIX
Get Data Request GET –
Stop Marketing Request STO –
Deletion Request DEL –

• Do I need to create an account with Revoke to action the SARs?

If your company is in our database, you may receive a subject access request (SAR) which you can manage using our secure verification process. You can action requests without creating an account if the default information provided by users is sufficient for you to match them to your company’s records. If you need additional sensitive data, such as National ID, you will need to create an account with either our Essential or Plus plans; both are currently free of charge for organisations.

• What is the difference between Essential and Plus plans?

You will be asked to choose between our two current plans, “Essential” and “Plus”, both of which are free for organisations. Each plan connects to our portal and allows Data Controllers and their privacy teams to safely and securely action requests, (“Essential” offers limited features while “Plus” affords Data Controllers and their teams a greater range of functionality). The main difference between the two plans is that “Essential” offers basic tools to deal with a single request at a time. “Plus” gathers all the incoming requests into a dashboard table showing all key information and the status of each request. This is a practical feature for companies who receive a large number of Subject Access Requests. “Plus” also displays all processing statistics and allows other authorised members of your privacy team to use the portal.

• What options are available on the Revoke SARs?

All SARs sent by Revoke on behalf of its users include links to “Manage Request” and “Access DM Portal”.

• Where will the “Manage Request” button take me?

Clicking on “Manage Request” will open a window where you will be able to view the subject’s data and respond to their request by either:

  • uploading data for a GET request,
  • marking that you have removed them from your marketing list(s) for an STO request,
  • marking that you have deleted their data for a DEL request or
  • clicking “Reject” if you find you have no data on the subject, (if you reject the request this will be applied to all other requests from that user).

To view the subject’s data you have to click the blue button “View All” after which you will be prompted to enter a One-Time Code that will be sent to your DPO inbox shortly.

• Where will the “Access Portal” button take me?

Clicking “Access Portal” will open a window prompting you to “create a unique password” which will allow you to access the portal once a unique key has been generated to encrypt your communications (which currently can take up to 24 hours). If you have already created a unique password and your unique key has been generated, then you can access the portal with your password. Once in the portal, you can view the subject’s verified information as well as request consent to view the subject’s identity document if permitted for your company and request more information from the data subject such as account number etc if needed to complete their SAR. You can respond to their SAR in the portal and if you choose “Plus” this process is made faster by using the app’s QR code scanner feature.

• Is the Data Management Portal available on a Mac/PC?

Revoke is a consumer mobile application (iOS and Android) with a business Data Management Portal for organisations and fully compatible with Macs and PCs.

• What are the main objectives of the Data Management Portal?

  • Secure and efficient SAR process for Data Controllers and their teams
  • Confidence in expertly verified ID
  • Automatic record and evidence of fulfilling obligations
  • Pro-active management of SAR requests
  • Easy task coordination for Privacy teams
  • API available to fast-track matching of SARs details to a company’s own database

• What are the benefits of using the Data Management Portal?

  • Efficient broker system between parties with military-grade encryption; only the user who has requested their data will have access to it
  • An easy-to-navigate and intuitive platform
  • Straight forward response options embedded in requests sent, which allows Data Controllers or their privacy teams to effectively manage requests
  • Additional features allow you to upload extra data or request more information to help verify users

• How does the Data Management Portal work?

We have written a detailed Data Management (DM) guide where Data Controllers and their privacy teams can find a comprehensive explanation of all features. The DM guide is available via the following link:

https://revoke.com/business/dpo-portal-guide/

• What verified information is available on the SARs?

This is the verified information available on the data subject through either of the email response links and can include any of the following which is classified as being either “Standard” or “Sensitive” data which is explained in more detail in a further section.

  1. Primary email address (standard)
  2. All email addresses (standard)
  3. Primary phone number (standard)
  4. All phone numbers (standard)
  5. Current address (sensitive)
  6. All addresses (sensitive)
  7. IP address (standard)
  8. Identity document and selfie (sensitive)

• What are Revoke’s Terms and Conditions for businesses?

We do not have any Terms & Conditions for our free services for organisations. We offer access to our Service, including the Data Management Portal (DM Portal) for the purpose of facilitating your response to data subject access requests. Our DM Portal allows you to transfer the required information to the data subject in an encrypted and secure manner. Revoke can neither view nor modify any data transferred by you to the data subject using our platform.

• Can businesses charge a subject for requesting their data?

You cannot charge a person (or their agent) for obtaining their data on their behalf under GDPR and CCPA, provided the request is not unreasonable. All requests made via Revoke are basic requests under the legislation mentioned above.

• What would happen if my company already has an online form to deal with SARs?

Under the California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDPR), an individual may choose to exercise their rights to access information held by an organisation in any appropriate way they choose. An organisation cannot insist on a particular process for consumers to follow. However, in certain cases, if your company has a straightforward data management process in place, we can set an autoresponder so our users will be redirected to your system to exercise their data rights.

• What would happen if my company does not respond within 30 days under GDPR?

If a company does not fulfil its obligations with respect to the GDPR, then it could face a fine of up to 20 million euros or an amount equivalent to 4% of annual revenues, globally, always opting for the largest financial year. Regulatory bodies will consider several factors to determine the fine, including its nature, severity and, of course, the duration of the infraction. Likewise, the level of damage suffered by individuals and any action taken by the organisation to mitigate the damage suffered by individuals will be considered. Regulatory agencies may impose a wide range of penalties, including the prohibition of processing personal data. In addition, organisations that fail to comply with the GDPR may be subject to private claims for compensation by individuals or consumer protection entities on behalf of individuals.

• What would happen if my company does not respond within 45 days under CCPA?

Organisations must confirm receipt of a request within 10 business days and respond to the request within 45 calendar days from the time the request is received, not from when the request is verified although an extension may be possible. Violations of the CCPA are subject to enforcement by the California attorney general’s office, which can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation after notice and a 30-day opportunity to cure have been provided.

• Why should I trust Revoke’s security?

Our software utilises the highest security standards in communication technology and data storage to protect both you, the contact organisation and the data subject’s personal data. When data is imported into and stored in the Revoke platform it allows organisations to meet the regulatory requirements in the provision of a secure system to allow an individual to access and store their personal data. Our services provide a robust process when verifying our user’s identity. Our systems capture the customer’s electronic signature and consent, (where appropriate) which evidences a contractual agreement between Revoke and the user required the most relevant data protection regulations around the world.

Cyber Essentials certified logo

Cyber Essentials Certified

We take security seriously which is why we’ve been assessed and certified for addressing cybersecurity effectively and mitigating the risk from Internet-based threats.