Entity scoping to plan a privacy program

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Entity Scoping to Plan a Privacy Program

    When planning a privacy program, the first step is to identify business applications and processes that handle personal data, referred to as entities in Governance, Risk, and Compliance. This identification allows for the automatic creation of processing activities, enabling privacy managers to effectively oversee privacy initiatives.

    Show full answer Show less

    Key Features

    • Entity Identification: Privacy managers can discover entities processing personal data through methods such as filtering by usage of personal information or sending initial privacy assessments.
    • Enhanced Entity Filter: This functionality allows for the mapping of business processes and applications with personal information to identify relevant records.
    • Initial Privacy Assessments: When direct mappings do not exist, privacy managers can send assessments to entities to evaluate personal data processing.

    Key Outcomes

    By scoping entities, privacy managers can ensure that only those entities containing personal information are managed in the applications, leading to better compliance and oversight of privacy-related activities. The process also facilitates automatic creation of processing activities based on the responses to privacy assessments, streamlining the management of personal data within the organization.

    When a privacy manager plans the privacy program for an organization, the first step is to scope those business applications or processes that contain personal data. In Governance, Risk, and Compliance, these business applications or business processes are called as entities. After you identify the entities processing personal data, the processing activities are automatically created.

    A privacy manager, with the role sn_privacy_manager, plans various privacy programs. Some examples of the privacy programs are:
    • Identifying all the business processes and vendors that process personal data of customers.
    • Identifying business applications that process personal data of employees.
    All the inventory related to business processes, applications, vendors, or business services is stored in the respective Configuration Management Database (CMDB) tables. The respective business owners manage this inventory.
    You can identify or discover entities that process personal data by using one of the following methods.
    • Filtering the entities either by discovering the processing activities by their usage of personal information.
    • Sending initial privacy assessments.
    Both these methods are explained in the following sections.
    Discover processing activities by their usage of personal information
    At an inventory level, when business processes, business applications, and other inventory records are mapped with information objects of type Personal information (PI), the privacy manager can discover those records that process specific PI information. For details about information objects and their role in Privacy Management, see Information objects in Privacy Management.
    The following image shows a business process with information objects associated with it. To identify such business applications or processes associated with information objects, the enhanced entity filter capability in the entity scoping functionality is used. For more information, see Scope entities to discover processing activities with personal information.
    Figure 1. Business process with associated information objects
    Business process with information objects associated with it.
    Identify potential entities and sending initial privacy assessments
    If the information objects are not mapped to the business applications or processes, you can send initial privacy assessments to all the entities and use their responses to determine if personal data is being processed. The steps to send the assessment are as follows:
    1. Create an Entity type. For example, Business processes that process customer personal information or Business applications that store employee information.
    2. Identify entities using Entity Type you created.
    3. Select the relevant entities and send privacy screening assessments to the respective entity owners.
    4. Based on the responses, processing activities are created automatically when relevant questions are answered.
    Figure 2. Sending privacy assessments to entities
    Send privacy assessments to entities to determine personal data.
    After the entities are scoped, then, in the applications, only those entities appear that contain personal information.