Frequently asked questions to help your business

Revoke is designed to provide robust identity verification and a secure and efficient communication channel between a company and consumers to manage Subject Access Requests (SARs) and other rights afforded to them under the GDPR and CCPA. Revoke will extend its services to include users and businesses in other jurisdictions as new consumer privacy laws are passed.

Revoke is currently available to businesses with a registered head office or physical presence within the European Economic Area (EEA), the United Kingdom and California (United States of America). If your country is not currently included, please register here and one of our customer support team will contact you.

Prior to sending any requests, our users must verify their email address and digitally sign an “authorisation letter”; this evidences a contractual agreement between Revoke and the user. Some companies require additional types of information such as the users’ phone number and nationally issued photo ID using biometric technology; companies have the option to request additional information through Revoke’s secure channels.

Companies will receive one of 3 types of requests from Revoke users; either “Stop Marketing”, “Get Data” or “Delete Data”.  The email request will clearly identify what type of request you have received; each request is prefixed by a 3-letter shortcode which corresponds to a specific type of request, for example, the prefix STO – refers to Stop Marketing.

In addition, consumers and businesses which comply with CCPA can send “Stop Sharing” requests.

If your company is in our database, you may receive a subject access request (SAR) which you can manage using our secure verification process. You can action requests without creating an account if the default information provided by users is sufficient for you to match them to your company’s records. If you need additional sensitive data, such as National ID, you will need to create an account with either our Essential or Plus plans; both are currently free of charge for organisations.

You will be asked to choose between our two current plans, “Essential” and “Plus”, both of which are free for organisations. Each plan connects to our portal and allows Data Controllers and their privacy teams to safely and securely action requests, (“Essential” offers limited features while “Plus” affords Data Controllers and their teams a greater range of functionality). The main difference between the two plans is that “Essential” offers basic tools to deal with a single request at a time. “Plus” gathers all the incoming requests into a dashboard table showing all key information and the status of each request. This is a practical feature for companies who receive a large number of Subject Access Requests. “Plus” also displays all processing statistics and allows other authorised members of your privacy team to use the portal.

All SARs sent by Revoke on behalf of its users include links to “Manage Request” and “Access DM Portal”.

Clicking on “Manage Request” will open a window where you will be able to view the subject’s data and respond to their request by either:

• uploading data for a GET request,
• marking that you have removed them from your marketing list(s) for an STO request,
• marking that you have deleted their data for a DEL request or
• clicking “Reject” if you find you have no data on the subject, (if you reject the request this will be applied to all other requests from that user).

To view the subject’s data you have to click the blue button “View All” after which you will be prompted to enter a One-Time Code that will be sent to your DPO inbox shortly.

Clicking “Access Portal” will open a window prompting you to “create a unique password” which will allow you to access the portal once a unique key has been generated to encrypt your communications (which currently can take up to 24 hours). If you have already created a unique password and your unique key has been generated, then you can access the portal with your password. Once in the portal, you can view the subject’s verified information as well as request consent to view the subject’s identity document if permitted for your company and request more information from the data subject such as account number etc if needed to complete their SAR. You can respond to their SAR in the portal and if you choose “Plus” this process is made faster by using the app’s QR code scanner feature.

Revoke is a consumer mobile application (iOS and Android) with a business Data Management Portal for organisations and fully compatible with Macs and PCs.

• Secure and efficient SAR process for Data Controllers and their teams
• Confidence in expertly verified ID
• Automatic record and evidence of fulfilling obligations
• Pro-active management of SAR requests
• Easy task coordination for Privacy teams
• API available to fast-track matching of SARs details to a company’s own database

• Efficient broker system between parties with military-grade encryption; only the user who has requested their data will have access to it
• An easy-to-navigate and intuitive platform
• Straight forward response options embedded in requests sent, which allows Data Controllers or their privacy teams to effectively manage requests
• Additional features allow you to upload extra data or request more information to help verify users

We have written a detailed Data Management (DM) guide where Data Controllers and their privacy teams can find a comprehensive explanation of all features. The DM guide is available via the following link:

https://revoke.com/business/dpo-portal-guide/

This is the verified information available on the data subject through either of the email response links and can include any of the following which is classified as being either “Standard” or “Sensitive” data which is explained in more detail in a further section.

1. Primary email address (standard)
2. All email addresses (standard)
3. Primary phone number (standard)
4. All phone numbers (standard)
5. Current address (sensitive)
6. All addresses (sensitive)
7. IP address (standard)
8. Identity document and selfie (sensitive)

We do not have any Terms & Conditions for our free services for organisations. We offer access to our Service, including the Data Management Portal (DM Portal) for the purpose of facilitating your response to data subject access requests. Our DM Portal allows you to transfer the required information to the data subject in an encrypted and secure manner. Revoke can neither view nor modify any data transferred by you to the data subject using our platform.

You cannot charge a person (or their agent) for obtaining their data on their behalf under GDPR and CCPA, provided the request is not unreasonable. All requests made via Revoke are basic requests under the legislation mentioned above.

Under the California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDPR), an individual may choose to exercise their rights to access information held by an organisation in any appropriate way they choose. An organisation cannot insist on a particular process for consumers to follow. However, in certain cases, if your company has a straightforward data management process in place, we can set an autoresponder so our users will be redirected to your system to exercise their data rights.

If a company does not fulfil its obligations with respect to the GDPR, then it could face a fine of up to 20 million euros or an amount equivalent to 4% of annual revenues, globally, always opting for the largest financial year. Regulatory bodies will consider several factors to determine the fine, including its nature, severity and, of course, the duration of the infraction. Likewise, the level of damage suffered by individuals and any action taken by the organisation to mitigate the damage suffered by individuals will be considered. Regulatory agencies may impose a wide range of penalties, including the prohibition of processing personal data. In addition, organisations that fail to comply with the GDPR may be subject to private claims for compensation by individuals or consumer protection entities on behalf of individuals.

Organisations must confirm receipt of a request within 10 business days and respond to the request within 45 calendar days from the time the request is received, not from when the request is verified although an extension may be possible. Violations of the CCPA are subject to enforcement by the California attorney general’s office, which can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation after notice and a 30-day opportunity to cure have been provided.

Our software utilises the highest security standards in communication technology and data storage to protect both you, the contact organisation and the data subject’s personal data. When data is imported into and stored in the Revoke platform it allows organisations to meet the regulatory requirements in the provision of a secure system to allow an individual to access and store their personal data. Our services provide a robust process when verifying our user’s identity. Our systems capture the customer’s electronic signature and consent, (where appropriate) which evidences a contractual agreement between Revoke and the user required the most relevant data protection regulations around the world.