Enhance Data Privacy Compliance with Multi-Version Privacy Policies in Docebo

• 8 min read

New functionality makes it easy to meet regional data privacy compliance requirements.

As the deadline for the General Data Protection Regulation (GDPR) fast approaches, Docebo has introduced a completely updated way for administrators to manage their privacy policies within the learning platform, which makes it easy to manage multi-version, multi-language privacy policies to meet regional data privacy compliance requirements.

As of April 28, 2018, administrators using Docebo’s learning management system (LMS) can create customized privacy policies for users to accept when they register or log into the platform, establishing and assigning multi-version policies to specific users.

This new functionality is incredibly useful, especially as it relates to GDPR and helping administrators manage their regulatory compliance within the Docebo learning platform.

How to Activate the Privacy Policy Globally For All Domains

To manage a privacy policy, you must log into your main domain as a Superadmin.

You can access the Admin menu by clicking the gear icon in the top right corner of the Docebo interface, then  clicking the Advanced Setting item and accessing the Users tab. In the Options section, you must flag the “Privacy Policy MUST be accepted” option, and press “Save Changes.”

You have now activated the privacy for all of your subdomains. Depending on the requirements of different users across different domains, you can turn that specific privacy policy on or off. Local setting will take priority over the global configuration of your privacy policy, so any settings you’ve configured for that subdomain will override any global privacy policy settings that you’ve configured.

To manage the settings of an individual subdomain, access the Admin Menu and press the Manage sub-item in the “Multidomain” section. On the main Multidomain page, locate the subdomain in the list, then press the “gear” icon to access its settings. Reach the Privacy Policy tab, then flag the option in the first section to “Enable custom settings for this client.”

You will then see that the Privacy Policy section is no longer greyed out. Depending on how you’ve set the global settings for all domains, you can flag the option to not require a policy signature for users in this subdomain (i.e.; users won’t have to accept a privacy policy before accessing their platforms), or you can flag the “Assign a policy option.”

If you flag the second option, use the “Select a Policy” dropdown menu to assign a privacy policy for the specific multidomain. On the other hand, you can assign a privacy policy to this subdomain from the “Privacy Policy” management area of your platform. The assigned policy will be reflected in the interface of the “Privacy Policy” tab in the subdomain’s settings. Furthermore, if you assign a policy to the client in the settings area for the subdomain, it will be reflected in the interface of the “Privacy Policy.”

Once you’ve assigned a privacy policy to a subdomain, all users within that subdomain must accept that specific privacy policy to access the Docebo platform and start or continue their e-learning journey.

How to Manage Privacy Policy Versions

To access your privacy policies as a Docebo administrator, you need to access your “Admin” menu and press the “Privacy Policy” item in the “Settings” section. Your interface will display all the policies you’ve created and allow you to manage them as you need.

Policies will be organized by row, displaying the policy name, ID code, to which client the policy is assigned, when the last update to the policy was made, and the version of that policy. When you need to edit an existing privacy policy, a new version is created when you edit any field or content outside of the policy’s title. If you update only the policy’s title, a new version will not be created, as that field is only visible to administrators (Superadmins). Assigned users will have to accept any new versions of any privacy policy before they can access their platform again.

One thing to note is that if any existing privacy policy is deleted, its tracking history is also deleted. Administrators will not be able to access any history regarding the privacy policy from their privacy policy reports. The users of those subdomains will be asked to accept the default privacy policy upon their next login. You can also re-assign these clients to a new privacy policy that you’ve created and stored.

Multi-Version Privacy Policies in Multiple Languages

When you create or edit a policy in your platform’s default language, the language fields are mandatory. But, when adding content in a language that is not your platform’s default, the fields are not mandatory, so if you don’t populate a field in one of the additional languages, it will appear to users in the default language instead of appearing blank.

For example: if your platform’s default language is English, you will need to fill out every field of the privacy policy in English. If you then decide to create content of the same policy in French, but don’t fill out the acceptance message, your learners’ platforms set in French will see the privacy policy acceptance message in English.

Managing Sub-Policies

If a sub-policy or additional acceptance messages to a privacy policy are required, administrators can press the “Add Sub-Policy” button in the “Sub-Policy” section when creating or editing their privacy policy. This option is especially useful if you needs your learners to accept additional options when accepting the privacy policy, such as allowing user data to be viewed by a third party system or subscribing to newsletters.

You will then need to insert a sub-policy acceptance message into the available text field and flag if it’s mandatory or not. If a sub-policy is set to mandatory, users won’t be able to access their platform until they’ve accepted the sub-policy.

Assigning and Unassigning Policies to Subdomains

Docebo users are able to assign privacy policies to specific sub-domains. This means that one domain may have a different privacy policy than a different domain, which is useful if your sub-domains are populated by branches divided by users in different offices, countries or regions, and need to agree to different terms and conditions to use the platform. Specifically, this function is Specifically, this function is particularly useful to ensure your data collection activities within your learning platform are compliant to regional data privacy requirements, such as GDPR.

You can create individual privacy policies for users in different countries, but doing so requires users to create an organizational chart that separates users into branches per country and assigning those branches to specific multi-domain client. Then, administrators can create a privacy policy for each client and assign individuals policies to their corresponding client.

Can You Update Your Privacy Policies?

Absolutely. Once an administrator has created a privacy policy, any of the fields can be updated later. Doing so will, however, create a new version of the policy. All versions of each of your privacy policies can be tracked and viewed when managing them. Each time a new version is created and published, all users must re-accept the privacy policy the next time they log into their learning platform.

Tracking Users Who Have Accepted Your Privacy Policy

Docebo administrators are able to view a dedicated report in their learning platform related to privacy policies (the Privacy Policy dashboard). The dashboard allows you to view the acceptance status of every user, the timing in which they’ve answered the privacy policy, and other details related to their interaction with corresponding privacy policies. This dashboard is extremely helpful when determining and managing regulatory compliance, especially if you’ve deployed multi-version privacy policies across multiple geographies and multiple regulatory compliance requirements.

GDPR Compliance and Your Learning Platform Privacy Policy

The GDPR significantly alters the ways organizations must handle personal data, and this is no different within your LMS.

Among the many new rights for data subjects in GDPR, the following will apply to your LMS:

  • The right of access: Data subjects have the right to access any personal data and to be aware of and verify the lawfulness of that data’s processing.
  • The right to rectification: Gives that learner access to their collected data if they notice something is inaccurate or incomplete.
  • The right to be forgotten: data subjects can have their information removed or deleted if it’s proven that there is no compelling reason for a business to continue processing any of that information.
  • The right to data portability: Data subjects can obtain and reuse their personal data for their own purposes across different services to move, copy or transfer personal data from one IT environment to another safely and securely, without hindering usability.
  • The right to object: GDPR gives LMS users the right to object to having any personal data used for direct marketing, profiling or processing for research or statistics. That means you must give LMS users a mechanism to opt-out of marketing communications any time you request their personal data. You will need to include explicit mentions of any other reasons for collecting personal data on your LMS.
  • The right not to be subject to automated individual decision-making resulting in decisions having legal or significant effects: Any processing activity that is wholly automated and leads to decisions that impact individuals in a significant way is prohibited unless such processing can be justified on one of three bases set out as exceptions under Article 22(2), namely: performance of a contract, authorised under law, or explicit consent.

The most common way to provide this information is in a privacy notice. Under GDPR, Docebo customers are known as data controllers. Our new privacy policy feature allows data controllers to:

  1. Include all information required by GDPR in their privacy notices and to apply relevant best practices. Users are able to easily define and maintain security policies that detail your organization’s personal data-handling best practices concisely and transparently. Your policy is also easily accessible, should be written in clear and plain language and can be translated in the user’s own language.
  2. Provide an effective way to define and maintain data privacy policies and procedures for obtaining consent in accordance  with the GDPR.

Why This is so Important?

The GDPR significantly alters requirements related to the collection and treatment of personal data. Among the many requirements, transparency and providing access to individual information are among the most important. That means being transparent and providing accessible information to individuals about how you will be using their personal data, which is a key element of both the Data Protection Act (US) and the GDPR. Docebo’s multi-version, multi-checklist privacy policy functionality is a key tool for Docebo users to ensure data privacy regulatory compliance. Docebo has the mechanisms you need to ensure your learning platform’s GDPR compliance. Ready to give it a try?