Entity scoping to plan a privacy program

  • Release version: Yokohama
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Entity scoping to plan a privacy program

    Entity scoping is the foundational step for privacy managers in planning a privacy program within an organization. It involves identifying business applications or processes—referred to as entities in Governance, Risk, and Compliance (GRC)—that process personal data. Once entities processing personal data are identified, related processing activities are automatically created to support privacy management efforts.

    Show full answer Show less

    Key Features

    • Entity Identification: Privacy managers with the snprivacymanager role can discover entities processing personal data by filtering based on their use of personal information or by sending initial privacy assessments to entity owners.
    • Integration with CMDB: Business processes, applications, vendors, and services inventory are maintained in respective Configuration Management Database (CMDB) tables managed by business owners, enabling accurate scoping.
    • Enhanced Entity Filters: Enables discovery of entities associated with specific personal information by mapping information objects (personal information types) to business processes or applications.
    • Initial Privacy Assessments: If information objects are not mapped, privacy managers can create entity types, select relevant entities, and send privacy screening assessments to determine if personal data is processed. Responses automatically generate processing activities when applicable.

    Key Outcomes

    • Efficient and accurate identification of entities that process personal data, forming the basis of privacy program planning.
    • Automatic creation of processing activities linked to scoped entities, reducing manual effort and improving data governance.
    • Streamlined privacy assessments help validate entity involvement with personal data, enhancing compliance and risk management.
    • Only entities containing personal information appear in privacy-related applications after scoping, ensuring focused and relevant privacy management.

    When a privacy manager plans the privacy program for an organization, the first step is to scope those business applications or processes that contain personal data. In Governance, Risk, and Compliance, these business applications or business processes are called as entities. After you identify the entities processing personal data, the processing activities are automatically created.

    A privacy manager, with the role sn_privacy_manager, plans various privacy programs. Some examples of the privacy programs are:
    • Identifying all the business processes and vendors that process personal data of customers.
    • Identifying business applications that process personal data of employees.
    All the inventory related to business processes, applications, vendors, or business services is stored in the respective Configuration Management Database (CMDB) tables. The respective business owners manage this inventory.
    You can identify or discover entities that process personal data by using one of the following methods.
    • Filtering the entities either by discovering the processing activities by their usage of personal information.
    • Sending initial privacy assessments.
    Both these methods are explained in the following sections.
    Discover processing activities by their usage of personal information
    At an inventory level, when business processes, business applications, and other inventory records are mapped with information objects of type Personal information (PI), the privacy manager can discover those records that process specific PI information. For details about information objects and their role in Privacy Management, see Information objects in Privacy Management.
    The following image shows a business process with information objects associated with it. To identify such business applications or processes associated with information objects, the enhanced entity filter capability in the entity scoping functionality is used. For more information, see Scope entities to discover processing activities with personal information.
    Figure 1. Business process with associated information objects
    Business process with information objects associated with it.
    Identify potential entities and sending initial privacy assessments
    If the information objects are not mapped to the business applications or processes, you can send initial privacy assessments to all the entities and use their responses to determine if personal data is being processed. The steps to send the assessment are as follows:
    1. Create an Entity type. For example, Business processes that process customer personal information or Business applications that store employee information.
    2. Identify entities using Entity Type you created.
    3. Select the relevant entities and send privacy screening assessments to the respective entity owners.
    4. Based on the responses, processing activities are created automatically when relevant questions are answered.
    Figure 2. Sending privacy assessments to entities
    Send privacy assessments to entities to determine personal data.
    After the entities are scoped, then, in the applications, only those entities appear that contain personal information.