Privacy and security policies let Global Administrators create, manage, and enforce user acceptance of privacy and security policies throughout a SmartSimple system, including at login, signup, and record creation.
Who: Global Administrators
What Are Privacy and Security Policies
Privacy policies inform users how their data is handled and describe the safeguards and processes used to help reduce the risk of identity theft, fraud, and other security.
The requirement for privacy and security policies may be legally mandated depending on the jurisdiction of the end user. For example, the General Data Protection Regulation (GDPR) is a European Union regulation that protects individuals' privacy and personal data. Compliance with GDPR requires privacy and security policies. SmartSimple's own comprehensive policies are available in the Trust Portal.
Privacy and security policies can also be used to manage other compliance activities, such as conflict-of-interest attestations and agreements to other terms and conditions.
When to Use Privacy and Security Policies
Use privacy and security policies when:
- GDPR or other data privacy regulations require explicit user policy acceptance.
- Terms and conditions need to be accepted before login, signup, or record creation in the system.
- An auditable record is needed of when each user accepted a specific version of a policy.
- Different policies need to display to different user roles or users from specific countries.
Policy Lifecycle
Each policy moves through three statuses during its lifecycle.
Draft Status
When first created, a policy enters Draft status. In this state, the policy content can be modified without restriction. Draft policies are not enforced at any collection point.
Active Status
Once a policy is activated, its content cannot be modified without creating a new version. Only one version of a policy can be active at a time. Multiple versions may exist, but earlier versions remain in effect only until a new version is activated.
Expired Status
A policy can be set to Expired when it is no longer needed. Expired policies are not enforced at any collection point, but users can see their policies under their User Menu. An expired policy can be reinstated with Active status at any time without creating a new version.
How Users Interact with Policies
Users encounter privacy and security policies at collection points throughout the system, depending on configuration. A collection point is any location where a policy has been attached. At each collection point, users may be prompted to acknowledge, accept, or decline a policy.
Login Pages
Before logging in, users may be able to preview specific policies, depending on configuration. After logging in, users may be required to accept certain policies before gaining system access.
Signup Pages
Users may be required to acknowledge or accept policies before accessing the signup page form. This ensures users are informed of the terms and conditions associated with using the system, and how their data may be collected, used, and stored.
Viewing Accepted Policies
Users can view a list of accepted or acknowledged policies at any time by going to their User Menu. This view displays the collection point, policy version, and the date of acceptance. Users can also open a PDF showing the policy contents as they appeared at the time of acceptance.
Administrators can view acceptance records for any policy by navigating to the policy in the Security tab of Global settings and clicking User Logs in the left-side menu. This displays all users who have accepted the policy, along with relevant information and a PDF of the policy at the time of acceptance. A search function is available to locate users by name or email.
Resources
For more information about privacy and security policies, see: