Smart assessments in Privacy Management
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Smart Assessments in Privacy Management
Smart assessments in Privacy Management leverage the Smart Assessment Engine (SAE) to conduct privacy screening and privacy impact assessments. These assessments help privacy teams efficiently gather critical information about data processing activities, evaluate privacy risks, and determine necessary mitigation measures. There are two primary assessment types:
Show less
- Privacy Screening Assessment: A preliminary evaluation to identify if personal data is involved and whether a detailed privacy impact assessment (PIA) is needed. It is typically used when new business applications or processes are created.
- Privacy Impact Assessment: A detailed analysis of how a business application, system, or process affects personal data privacy, assessing risks and mitigation strategies. Risk scores can be revisited over time to ensure ongoing risk management.
To enable smart assessments, the snprivacy.enablesmartassessment system property must be activated.
Key Features
- Smart Assessment Engine Application: Provides configurable templates, workflows, inline guidance, and actionable insights for reviewing assessments.
- Assessment Templates: Two main template versions are provided starting with the Zurich release - Privacy Screening Assessment [V4] and Privacy Impact Assessment [V4]. These include sections for general information, detailed questions, data elements, and automations.
- Automation Capabilities: Automations can be set up to streamline processing, such as automatic creation of processing activities and application of risk statements and control objectives based on user responses. This ensures consistency and reduces manual errors.
- Data Hierarchy and Lawful Basis Collection: The assessments capture data flow hierarchies and the lawful basis for data processing, improving transparency and compliance.
- Migration and Reassignment: Assessments can be migrated from older systems, and reassigned to the appropriate responders for accuracy and efficiency.
Using Assessment Templates
Privacy screening assessment templates include three sections: General (category and targets), Questions (responders’ questions and data elements), and Automations (rules for automatic processing activities and risk control application). Privacy impact assessment templates include overview, details, and optional automations, with the ability to add personal data elements to the questionnaire.
Review and Approval Process
Privacy analysts review submitted assessments, with options to request revisions or approve them directly. During review, privacy managers can view:
- Information objects identified in the screening assessment.
- Data flow hierarchy showing where data originates and where it is sent.
- Outcomes including associated risk statements and control objectives.
Practical Benefits for ServiceNow Customers
- Improved accuracy and completeness of privacy data collection, reducing manual effort.
- Automated risk and control application ensures consistent privacy risk management.
- Configurable templates allow organizations to tailor assessments to their specific privacy requirements.
- Enhanced visibility into data flows and lawful processing bases supports regulatory compliance.
The new and improved assessment experience in Privacy Management uses the Smart Assessment Engine (SAE) application. The assessment engine enables you to perform privacy screening and privacy impact assessments to collect the necessary information for the privacy teams.
In Privacy Management, assessments play an important role. There are two types of assessments.
- Privacy screening assessment: A privacy screening assessment is a preliminary evaluation used to determine whether a processing activity involves personal data and whether it may pose privacy risks. It’s a high-level review conducted to identify whether a more detailed privacy review, such as a privacy impact assessment (PIA), is necessary. For example, when a new business application or process is created, the privacy teams must understand if the application or the business process processes personal data or not. To determine this, the screening assessments are sent to the business application or business process owners. After the assessment is approved by the privacy manager, a processing activity is created.
- Privacy impact assessment: After a screening assessment is performed, based on the responses, a privacy impact assessment may be generated. A Privacy impact assessment is a comprehensive evaluation of how a business application, system, or process affects personal data privacy. It assesses the privacy risks associated with processing activities and identifies measures to mitigate these risks. Each time a privacy impact assessment is performed, the risks are revisited to determine if the risk score changed. This helps the privacy teams remain vigilant and address the risks as required.
Note:
To use Smart Assessment Engine, you must enable the sn_privacy.enable_smart_assessment property that is located under system properties.
Benefits of using the new assessment experience
The new assessment experience offers the following benefits.
- Capture all the required information during the assessment eliminating the need for manually adding details to the processing activity.
- Capture the hierarchy or flow of data and specify where the data is coming from and where is the data going.
- Collect the lawful basis of collecting and processing data.
- Create multiple sections for logical grouping of questions
- Migrate assessments from older systems.
- Provide inline guidance for questions.
- Reassign the assessment to the correct responder.
- Create highly configurable templates.
Types of assessment templates
To perform the screening and the impact assessments, you require assessment templates. While the assessment templates are based on the Smart Assessment Engine, there are some additional configurations provided for the users of Privacy Management. Starting with the Zurich release, two assessment templates, Privacy Screening Assessment [V4] and Privacy Impact Assessment [V4] are provided to perform smart assessments.
Privacy Screening Assessment [V3] and Privacy Impact Assessment [V3] templates are also available. Some important differences between these templates and the additional configurations
are explained as follows.
- Privacy screening assessment
-
Starting with the Zurich release, a new template for Privacy screening assessment (Privacy Screening Assessment [V4]) is available.
For a screening assessment template, there are three sections:- General: In this section, you specify the assessment template category as Privacy category and also specify the assessment targets. For a screening assessment, the assessment targets are entities and privacy tasks.
- Questions: This section contains questions for the assessment responders. This section also contains data elements which are single units of information that represent a specific attribute or characteristic about a data subject or entity. Examples of data elements are name, email address, date of birth, and so on. In this section, you’ll also find a section titled Criticality factors and these questions are used to calculate the criticality score.
- Automations: In this section, you can define the rules that allow the automatic creation of processing activities based on the responses to questions. This section uses Workflow Studio. These automations are mapped to their relevant questions. Automation streamlines various processes, including the application of risk statements and control objectives based on user responses. When users select specific responses during an assessment, the system automatically applies the appropriate risks and controls to the relevant records. For example, consider an organizational policy stating that personal data can only be transferred outside the EU with explicit consent. During an assessment, if a user indicates that data is being transferred outside the EU, the system will automatically apply the Data Transfer risk to the processing activity: Assign Explicit Consent as a control to mitigate the identified risk. This automation ensures consistency, saves time, and reduces the likelihood of human error in managing risks and controls.
Figure 1. Privacy screening assessment - Privacy impact assessment
-
Starting with the Yokohama release, a new template for Privacy impact assessment (Privacy Impact Assessment [V4]) is available.
For a privacy impact assessment template, like the screening assessment template, you have the Overview and Details sections, and while by default, the Automations section is present, it does not contain any predefined automations. You can add automations if you require them. For an impact assessment template, apart from the questionnaire, you can add the personal data elements. For detailed information on how to configure an impact assessment template, see Configure smart assessment templates for impact assessments.Figure 2. Privacy impact assessment screen
Note:
Only published templates are available for assessments.
Review of an assessment
When privacy analysts receive an assessment, they review the assessment. During the review, they can either request for a revision of the assessment or directly approve it. During the Review state, the
privacy managers can view the following items:
- Information objects: The information objects tab displays the information objects identified as part of the screening assessment.
- Hierarchy: The hierarchy of where data comes from and where it goes.
- Outcomes: The outcomes tab displays the risk statement and the control objectives associated with the assessment.