NIST 800-53 REV 5 • PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY

PT-4(3)Revocation

Implement {{ insert: param, pt-04.03_odp }} for individuals to revoke consent to the processing of their personally identifiable information.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Revocation of consent enables individuals to exercise control over their initial consent decision when circumstances change. Organizations consider usability factors in enabling easy-to-use revocation capabilities.

Practitioner Notes

People must be able to revoke their consent as easily as they gave it. When consent is revoked, you must stop the processing and, if appropriate, delete the data that was collected under that consent.

Example 1: Provide a clear 'Manage Privacy Preferences' page in your application or website where users can see what they consented to and revoke any consent with a single click. Process revocation requests within a defined timeframe (e.g., 72 hours).

Example 2: Build a workflow in Power Automate that triggers when a consent revocation is received: it updates the consent database, notifies the data processing team to stop the relevant processing, initiates data deletion if required, and sends a confirmation to the individual.

More Personally Identifiable Information Processing and Transparency Controls

PT-1 Policy and Procedures PT-2 Authority to Process Personally Identifiable Information PT-2(1) Data Tagging PT-2(2) Automation