Regulations

Regulations currently configured in your 4Comply account are listed here. You can add a new regulation to the system by clicking the “+ Add New” button (1); or, to check how their configuration, click on the edit icon (2) under Actions. You can also click on the pencil icon (3) to edit the Note for the regulation.

Regulations Table

By default, 4Comply is pre-configured with the following regulations:

  • GDPR (for EU countries)
  • CASL (Canadian anti-spam law)
  • CCPA (California Consumer Privacy Act)
  • LGPD (Lei Geral de Proteção de Dados Pessoais)
  • PDPA (Personal Data Protection Act)
  • APA (Australian Privacy Act)
  • PIPA (Personal Information Protection Act)
  • Privacy Act (Privacy Act 2020)
  • FADP (Federal Act on Data Protection)
  • PDPL (Personal Data Protection Law)
  • No Current Reg, for the rest of the world.

Adding a New Regulation

When adding a new regulation, you must enter a Regulation Name and a Note.

Add a New Regulation

The Regulation Name should be something easy to identify or the correct abbreviation of the new law. For the Note file, use it as you see fit. For example, add the law’s full name or a description of the countries or regions to which the regulation applies.

Once you have set up the new regulation, the next step is to complete the configuration. You can base your law on an existing one to add the same Permission Types and Processing Purposes. The following sub-sections will help you understand what these are and how to add them.

View Regulation Configuration

View Regulation Configuration has two main sections: Processing Purposes and Derived Permission Types. Add configurations or modify the existing ones according to your needs. 4Comply comes with an Out-of-the-box configuration for each of the regulations based on each regulation’s current laws. Additionally, there is a toggle to determine how to process new consent with a value of “no”. If said toggle is enabled, then new consent with a value of “no” will override existing consent of values “yes”.

Regulation – Override Consent

Derived Permission Types

When a user gives consent to receive email communication, 4Comply creates explicit permission. 4Comply may also create additional derived permissions directly related to explicit permission. In the email communication example above, the derived permissions may include “Process Data” and “Communicate - Email.” For each derived permission, you can specify the Expiry Behavior, select the Consent Types included in this Derived record, and the Default Permission Value.

Expiry Behavior specifies what 4Comply will do when the permission record expires. For example: in GDPR, 4Comply removes expired permissions until the Digital Citizen gives consent again. However, for CASL, the permissions are not removed.

Lastly, the Default Permission Value gets returned when checking the permission status of a particular Digital Citizen not found in 4Comply or hasn’t explicitly given consent.

CCPA - Regulation Configuration

Processing Purposes

4Comply is pre-configured with processing purposes for each regulation. You can modify them or add new entries as needed.

When adding a new processing purpose, there are four required fields: Name, TTL (time-to-live), Permission Category, and Returned Contact. There is also an optional field: Privacy Policy Justification

Adding Processing Purposes

The Permission Category picklist is configured in the “Permissions Categories” section under Regulations.

Permission Categories

You may specify a Permission Category for each of the processing steps in this section, depending on its legal commitment. For example, in GDPR, contacts with a Permission Category of “Legitimate Interest” will have a shorter time-to-live than contacts with a “Contractual” or “Consent” Permission Categories. The nature of the request, Processing Purpose, made by the contact, should always be aligned with the Permission Type specified in it.

Because 4Comply uses processing purpose names as API parameters, we recommend using a clear naming convention to understand API calls easily.

You must also specify the time-to-live (TTL) in months; this is the value used to calculate the permissions’ expiration date. Consent Requirement defines the value 4Comply expects for consent.

The Permission Category is a picklist with specific values for each regulation; for example, for GDPR, the values are Contractual, Consent, and Legitimate Interest, whereas for CASL the values are Express Consent, Implied Consent, and Implied Consent - Contract.

The Returned Contact field specifies whether to retain or delete a contact when it returns to 4Comply after having requested to be forgotten.

And finally, Privacy Policy Justification is an optional field where you can store the reasoning behind the TTL policy.

Processing Purposes

The Processing Purposes shipped with 4Comply are:

  • Asset download with consent
  • Asset download without consent
  • Contact Us Request with consent
  • Contact Us Request without consent
  • Consent to Request to Sell Personal Data
  • Consent to Sell Personal Data
  • Contractual
  • CRM Record with consent
  • CRM Record without consent
  • Customer SOW with consent
  • Customer SOW without consent
  • Event Registration with consent
  • Event Registration without consent
  • Form Submit with consent
  • Form Submit without consent
  • In Person Event with consent
  • In Person Event without consent
  • Partner List with consent
  • Partner List without consent
  • Unsubscribe
  • Webinar Registration with consent
  • Webinar Registration without consent

One Processing Purpose has special actions associated with it - Unsubscribe. ‘Unsubscribe’ is used to expire permission, even when ‘Consent Override Behavior’ is set to “No”. When ‘Unsubscribe’ is used as a Processing Purpose, you must use “Unsubscribe” as the Consent_code value. 4Comply treats the Processing Purpose ‘Unsubscribe’ in the following way:

  • Expiration date for the explicit permission and all derived permissions is set to ‘Today’

Master Permission Types

This table represents the default Permission Types available in 4Comply. You can add new permissions (1), review the details of the permissions (2) [useful when doing API calls], and delete the permission type (3).

Master Permission Types

When adding a new permission type, enter the name, the default permission value (yes or no), an optional description, and an optional Business Unit —all the fields displayed in the above table. The Business Unit can be used to differentiate the Permissions for one Business Unit from those of a different Business Unit. After creating the new permission type, it is added to all the regulations by default. Once completed, you can use the new permission type on any API call that uses it, or you can configure the derived types that you will use for each specific regulation. If you use the new permission type, the permission created by the consent request will only create the explicit permission but no derived permissions.

When you add a Business Unit to the definition of a Permission Type, the system will select that Permission Type for a new Compliance Input record, if and only if the Business Unit on the input matches the Business Unit in the Permission Type. If there is no match, the Permission Type with no Business Unit will be selected by Default.

If you click the “Gear” icon, you can select the columns to be shown on the list of Permission Types. Click on the Gear icon again to close the dialog box.

Master Permission Types - columns select

The default permissions are:

  • Process Data
  • Communicate Electronically
  • Communicate - SMS
  • Communicate - email
  • Sell personal Data
  • Request to Sell Personal Data

Permission Categories

In this section, you can review the default values for the Permission Categories and, if required, add your own to the system by specifying the name of the new Permission Category. You can also edit existing values, or delete values no longer needed.

Permission Categories

The field Compliance Input Type is used for segmenting and filtering Compliance Input records. Each Permission Category is required to have a Compliance Input Type. This allows you to filter all Compliance Inputs regardless of the different Permission Categories that are of the same type. The values are:

  • Consent
  • Implied
  • Contractual
  • Legal

The default Permission Categories are:

  • Consent
  • No Consent
  • Express Consent
  • Implied Consent
  • Legitimate Interest
  • Contractual