Regulations

Regulations currently configured in your 4Comply account are listed here. You can add a new regulation to the system by clicking the “+ Add New” button (1); or, to check how their configuration, click on the eye-icon (2) under Actions. You can also click on the pencil icon (3) to edit the Note for the regulation.

Regulations Table

By default, 4Comply is pre-configured with the following regulations:

  • GDPR (for EU countries)
  • CASL (Canadian anti-spam law)
  • CCPA (California Consumer Privacy Act)
  • LGPD (Lei Geral de Proteção de Dados Pessoais)
  • PDPA (Personal Data Protection Act)
  • APA (Australian Privacy Act)
  • PIPA (Personal Information Protection Act)
  • Privacy Act (Privacy Act 2020)
  • FADP (Federal Act on Data Protection)
  • PDPL (Personal Data Protection Law)
  • No Current Reg, for the rest of the world.

Adding a New Regulation

When adding a new regulation, you must enter a Regulation Name and a Note.

Add a New Regulation

The Regulation Name should be something easy to identify or the correct abbreviation of the new law. For the Note file, use it as you see fit. For example, add the law’s full name or a description of the countries or regions to which the regulation applies.

Once you have set up the new regulation, the next step is to complete the configuration. You can base your law on an existing one to add the same Permission Types and Processing Purposes. The following sub-sections will help you understand what these are and how to add them.

View Regulation Configuration

View Regulation Configuration has two main sections: Processing Purposes and Derived Permission Types. Add configurations or modify the existing ones according to your needs. 4Comply comes with an Out-of-the-box configuration for each of the regulations based on each regulation’s current laws. Additionally, there is a toggle to determine how to process new consent with a value of “no”. If said toggle is enabled, then new consent with a value of “no” will override existing consent of values “yes”.

Regulation – Override Consent

Derived Permission Types

When a user gives consent to receive email communication, 4Comply creates explicit permission. 4Comply may also create additional derived permissions directly related to explicit permission. In the email communication example above, the derived permissions may include “Process Data” and “Communicate - Email.” For each derived permission, you can specify the Expiry Behavior, select the Consent Types included in this Derived record, and the Default Permission Value.

Expiry Behavior specifies what 4Comply will do when the permission record expires. For example: in GDPR, 4Comply removes expired permissions until the Digital Citizen gives consent again. However, for CASL, the permissions are not removed.

Lastly, the Default Permission Value gets returned when checking the permission status of a particular Digital Citizen not found in 4Comply or hasn’t explicitly given consent.

CCPA - Regulation Configuration

Processing Purposes

4Comply is pre-configured with processing purposes for each regulation. You can modify them or add new entries as needed.

When adding a new processing purpose, there are four required fields: Name, time-to-live (TTL), Permission Category, and Consent Requirement.

Adding Processing Purpose

The Permission Category picklist is configured in the “Permissions Categories” section under Regulations. Permission Categories

You may specify a Permission Category for each of the processing steps in this section, depending on its legal commitment. For example, in GDPR, contacts with a Permission Category of “Legitimate Interest” will have a shorter time-to-live than contacts with a “Contractual” or “Consent” Permission Categories. The nature of the request, Processing Purpose, made by the contact, should always be aligned with the Permission Type specified in it.

Because 4Comply uses processing purpose names as API parameters, we recommend using a clear naming convention to understand API calls easily. You must also specify the time-to-live (TTL) in months; this is the value used to calculate the permissions’ expiration date. Consent Requirement defines the value 4Comply expects for consent.

And finally, the Permission Category is a picklist with specific values for each regulation; for example, for GDPR, the values are Contractual, Consent, and Legitimate Interest, whereas for CASL the values are Express Consent, Implied Consent, and Implied Consent - Contract.

Processing Purposes

The Processing Purposes shipped with 4Comply are:

  • Asset download with consent
  • Asset download without consent
  • Contact Us Request with consent
  • Contact Us Request without consent
  • Consent to Request to Sell Personal Data
  • Consent to Sell Personal Data
  • Contractual
  • CRM Record with consent
  • CRM Record without consent
  • Customer SOW with consent
  • Customer SOW without consent
  • Event Registration with consent
  • Event Registration without consent
  • Form Submit with consent
  • Form Submit without consent
  • In Person Event with consent
  • In Person Event without consent
  • Partner List with consent
  • Partner List without consent
  • Unsubscribe
  • Webinar Registration with consent
  • Webinar Registration without consent

Master Permission Types

This table represents the default Permission Types available in 4Comply. You can add new permissions (1), review the details of the permissions (2) [useful when doing API calls], and delete the permission type (3).

Master Permission Types

When adding a new permission type, enter the name, the default permission value (yes or no), and a description—all the fields displayed in the above table. After creating the new permission type, it is added to all the regulations by default. Once completed, you can use the new permission type on any API call that uses it, or you can configure the derived types that you will use for each specific regulation. If you use the new permission type, the permission created by the consent request will only create the explicit permission but no derived permissions.

The default permissions are:

  • Process Data
  • Communicate Electronically
  • Communicate - SMS
  • Communicate - email
  • Sell personal Data
  • Request to Sell Personal Data

Permission Categories

In this section, you can review the default values for the Permission Categories and, if required, add your own to the system by specifying the name of the new Permission Category. You can also edit existing values, or delete values no longer needed.

The default Permission Categories are:

  • Consent
  • No Consent
  • Express Consent
  • Implied Consent
  • Legitimate Interest
  • Contractual