Entity scoping to plan a privacy program

  • Release version: Xanadu
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Entity scoping to plan a privacy program

    When planning a privacy program, a privacy manager must first identify and scope business applications or processes—called entities in Governance, Risk, and Compliance—that contain personal data. This initial scoping enables automatic creation of processing activities related to personal data. The privacy manager, assigned thesnprivacymanagerrole, can plan programs such as identifying all business processes and vendors processing customer personal data or business applications handling employee personal data.

    Show full answer Show less

    All inventory related to these business processes, applications, vendors, or services is maintained in Configuration Management Database (CMDB) tables, managed by the respective business owners.

    Key Methods to Identify Entities Processing Personal Data

    • Discover processing activities by their usage of personal information: When business processes or applications are mapped to personal information objects in the CMDB, privacy managers can filter and identify those entities processing specific personal data. This leverages the enhanced entity filter capability within entity scoping to associate processing activities with personal information objects.
    • Send initial privacy assessments: If no mapping exists between information objects and entities, privacy managers can create entity types (e.g., business processes handling customer data) and send privacy screening assessments to entity owners. Responses to these assessments help determine if personal data processing occurs, triggering automatic creation of processing activities based on relevant answers.

    Practical Benefits for ServiceNow Customers

    • This approach allows privacy managers to efficiently discover and scope all entities handling personal data, ensuring accurate and comprehensive privacy program planning.
    • Utilizing the CMDB as a centralized inventory ensures up-to-date visibility and management of personal data processing across business applications and processes.
    • Automated creation of processing activities based on scoped entities and assessment responses reduces manual effort and enhances compliance accuracy.

    Next Steps

    ServiceNow customers should use the entity scoping functionality and CMDB integration to filter and identify relevant entities. Where mappings to personal information objects are unavailable, initial privacy assessments can be sent to gather necessary data. This ensures a complete and actionable inventory of personal data processing activities to effectively plan and manage privacy programs.

    When a privacy manager plans the privacy program for an organization, the first step is to scope those business applications or processes that contain personal data. In Governance, Risk, and Compliance, these business applications or business processes are called as entities. After you identify the entities processing personal data, the processing activities are automatically created.

    A privacy manager, with the role sn_privacy_manager, plans various privacy programs. Some examples of the privacy programs are:
    • Identifying all the business processes and vendors that process personal data of customers.
    • Identifying business applications that process personal data of employees.
    All the inventory related to business processes, applications, vendors, or business services is stored in the respective Configuration Management Database (CMDB) tables. The respective business owners manage this inventory.
    You can identify or discover entities that process personal data by using one of the following methods.
    • Filtering the entities either by discovering the processing activities by their usage of personal information.
    • Sending initial privacy assessments.
    Both these methods are explained in the following sections.
    Discover processing activities by their usage of personal information
    At an inventory level, when business processes, business applications, and other inventory records are mapped with information objects of type Personal information (PI), the privacy manager can discover those records that process specific PI information. For details about information objects and their role in Privacy Management, see Information objects in Privacy Management.
    The following image shows a business process with information objects associated with it. To identify such business applications or processes associated with information objects, the enhanced entity filter capability in the entity scoping functionality is used. For more information, see Scope entities to discover processing activities with personal information.
    Figure 1. Business process with associated information objects
    Business process with information objects associated with it.
    Identify potential entities and sending initial privacy assessments
    If the information objects are not mapped to the business applications or processes, you can send initial privacy assessments to all the entities and use their responses to determine if personal data is being processed. The steps to send the assessment are as follows:
    1. Create an Entity type. For example, Business processes that process customer personal information or Business applications that store employee information.
    2. Identify entities using Entity Type you created.
    3. Select the relevant entities and send privacy screening assessments to the respective entity owners.
    4. Based on the responses, processing activities are created automatically when relevant questions are answered.
    Figure 2. Sending privacy assessments to entities
    Send privacy assessments to entities to determine personal data.
    After the entities are scoped, then, in the applications, only those entities appear that contain personal information.