Overview
A significant component of SmartSimple's privacy configuration is our adherence to the General Data Protection Regulation (GDPR). The GDPR is a legislative framework established by the European Union aimed at safeguarding the fundamental rights of individuals and their personal data. This regulation ensures that individuals are informed about the location of their personal data and mandates organizations to maintain accountability and transparency in their operations.
EUGDPR.org outlines the principal amendments introduced by the enforcement of the GDPR, which commenced on May 25, 2018. As a regulation with direct binding authority, the GDPR requires data controllers to implement suitable technical and organizational measures to uphold its data protection principles.
This article delineates the features and policies that SmartSimple has integrated into our platform to assist you in achieving compliance with the GDPR.
For further details regarding SmartSimple's approach to GDPR compliance, please visit our website.
Feature Descriptions and Requirements
SmartSimple has developed two categories of features that comply with the GDPR: those related to Personal Data Management and those concerning Consent and Compliance.
Personal Data Management Features
Personal Data Management features are designed to facilitate effective management of your data while automating your data governance model. To maximize the utility of the following features, we recommend identifying all personal data fields within the system and categorizing them accordingly.
| Feature | Description | GDPR Regulation |
|---|---|---|
| Personal Data Field (Indicator) |
This feature indicates whether a field contains personal data and includes a processing description. This allows for quick differentiation between personal and non-personal data fields, enabling both internal and external users to view the description. The addition of an indicator simplifies the process of ensuring that all personal data fields are accounted for during the erasure of personal data, policy additions, pseudonymization, or during searches and reporting. |
|
| Data Categories |
This feature enables the organization of collected data into categories such as Contact Data, Financial Data, Highly Sensitive Data, etc. This categorization allows for the customization of specific security and data retention policies tailored to various data classes. You may apply multiple policies to a single category. |
|
| Data Retention Policies | A data retention policy specifies the duration for which your organization must retain data within this category before it is erased. Such policies can be applied to any field within the system, with the erasure process being fully automated. Retention is determined based on the number of months or days following a specific date. |
|
| Data Security Policies |
A data security policy outlines who is permitted to view and/or modify data within this category in the system. Security policies support SmartSimple's role-based security. We can configure these policies to assist in achieving the principles of purpose limitation and integrity and confidentiality by ensuring that only individuals requiring access for legitimate, specified purposes are granted permission. |
|
| Pseudonymization |
Pseudonymization enables the masking of personal data fields, rendering the retained data unidentifiable. This approach allows for a nuanced method of data management. Deleting an entire profile and all associated data is often unnecessary and can lead to gaps in reports. By utilizing pseudonymization, you can render specific fields unidentifiable, thus preserving the integrity of long-term reporting while adhering to data retention obligations. |
|
Consent and Compliance Features
These features are designed to manage the consent of your data subjects as well as to oversee your overall compliance.
| Feature | Description | GDPR Requirements |
|---|---|---|
| Personal Data Field (Information & Access) |
It is imperative that the end user comprehends why and how their personal data will be processed to facilitate informed consent. The Personal Data Field Indicator allows you to designate any field that contains personal information and provide a description of the intended uses of that field. When the user accesses any page within the system that utilizes personal information fields, they can view all explanations you have provided. On their profile, users can see a list of personal data fields that you maintain about them. This feature is automatically available in every instance of SmartSimple. |
|
| Policy Consent |
Following the establishment of a policy internally, you can enforce compliance by requiring users to agree to it upon login. The policy can be set as mandatory, ensuring that users who do not accept it will be unable to access the system or input personal information. Multiple policies can be implemented, and they can be enforced either once or at specified intervals. Upon acceptance of a policy, the system generates a PDF of the acceptance complete with a time/date stamp, creating a fully auditable consent collection process. |
|
| Cookie Policy |
The Cookie Policy feature notifies users regarding the use of cookies within the SmartSimple application. Users landing on the login page will be alerted and required to consent to the use of cookies. Additionally, we have provided a policy template that you can utilize to formulate your own cookie usage policy within your Privacy and Security Policies. |
|
| Personal Data Erasure |
The personal data erasure feature is employed to comply with requests for the deletion of user data. This feature can be activated on UTA Level 2 types as an individual's data erasure request. Within this Level 2 framework, an administrator can review these requests and will have the option to delete the user profile of the Level 2 owner. A certificate of data erasure is subsequently generated to document this activity. |
|
| Request Tracker UTA | This is a customized feature that must be specifically requested by the client for configuration within their instance of SmartSimple. We are capable of developing a Request Tracker to assist you in managing Data Subject Requests, including the Right of Access, Right to Rectification, Right to Erasure, Right to Restriction of Processing, among others. |
|
Glossary for GDPR
| Term, Principle, or Abbreviation | Definition |
|---|---|
| EEA | European Economic Area - established through an international agreement in 1992, the EEA extends the European Union's single market to non-EU member states. As of 2016, membership includes 31 states: 28 EU member states and three of the four member states of the European Free Trade Association: Iceland, Liechtenstein, and Norway. The agreement is provisionally applied concerning Croatia. Switzerland has not yet joined the EEA but maintains several bilateral agreements with the EU, allowing it to participate in the internal market. |
| EU | European Union - a political and economic union comprising 28 member states primarily located in Europe. |
| GDPR | General Data Protection Regulation - The GDPR 2016/679 is a regulation in EU law concerning data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA). The GDPR was adopted on April 14, 2016, and became enforceable starting May 25, 2018. |
| GDPR Principle | Description |
|---|---|
| (5)(1)(b) Purpose Limitation |
Article 5 of GDPR: Principles relating to the processing of personal data 1. Personal data shall be: b) collected for specific, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific, or historical research purposes, or statistical purposes shall, in accordance with Article 89(1), not be considered incompatible with the initial purposes ('purpose limitation'). |
| (5)(1)(e) Storage Limitation |
Article 5 of GDPR: Principles relating to the processing of personal data 1. Personal data shall be: e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. |
| (5)(1)(f) Integrity and Confidentiality |
Article 5 of GDPR: Principles relating to the processing of personal data 1. Personal data shall be: f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures ('integrity and confidentiality'). |
| (5)(2) Accountability |
Article 5 of GDPR: Principles relating to the processing of personal data 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability'). |
| (7)(1) Informed consent, demonstration of consent |
Article 7 of GDPR: Conditions for consent 1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data. |
| (25)(2) Technical and organisational measures - purpose |
Article 25 of GDPR: Data protection by design and by default 2. The controller shall implement appropriate technical and organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of processing are processed. This obligation applies to:
In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. |
| (30)(1)(e) Categories of Personal Data |
Article 30 of GDPR: Records of processing activities 1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information: e) where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards. |
| (89)(1) Safeguards and Pseudonymization |
Article 89 of GDPR: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes 1.1 Processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. 2 Such safeguards shall ensure that technical and organizational measures are in place, particularly to ensure respect for the principle of data minimization. 3 These measures may include pseudonymization provided that those purposes can be fulfilled in that manner. 4 Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner. |