PT-4(3)—Revocation
>Control Description
Implement ⚙organization-defined tools or mechanisms for individuals to revoke consent to the processing of their personally identifiable information.
>Cross-Framework Mappings
>Supplemental Guidance
Revocation of consent enables individuals to exercise control over their initial consent decision when circumstances change. Organizations consider usability factors in enabling easy-to-use revocation capabilities.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern revocation in organizational systems?
- •Who is responsible for implementing and overseeing revocation controls?
- •How does the organization ensure revocation complies with privacy laws and regulations?
- •What process exists for documenting and maintaining revocation?
- •What governance exists for monitoring and enforcing revocation requirements?
Technical Implementation:
- •What systems or tools technically implement revocation?
- •How are revocation requirements enforced in PII processing systems?
- •What privacy-enhancing technologies support revocation?
- •How is revocation integrated with data governance and privacy tools?
- •What technical controls prevent violations of revocation requirements?
Evidence & Documentation:
- •Provide documented policies and procedures for revocation.
- •Provide evidence of revocation implementation in PII systems.
- •Provide documentation demonstrating compliance with revocation requirements.
- •Provide records of revocation reviews and updates.
- •Provide privacy impact assessments or other documentation addressing revocation.
Ask AI
Configure your API key to use AI features.