Working with data processing activities

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 8 minutes to read

    • Data Processing Officers can use the options in the Data Processing Activity module to create targets, identify them as data processing activities, and perform GDPR DPIA target assessments on them to determine whether the targets are high risk.

    Note:
    Starting with the Rome release, GRC: GDPR DPIA Accelerator is being prepared for future deprecation. It will be hidden and no longer activated on new instances, but will continue to be supported. For details, see the Deprecation Process [KB0867184] article in the Now Support knowledge base.

    Create a target

    In GDPR, a target refers to the association between an entity and a data processing activity.

    Before you begin

    Role required: sn_irm_gdpr_dpia.risk_executive or sn_irm_gdpr_dpia.data_processing_officer
    Note:
    Starting with the Rome release, GRC: GDPR DPIA Accelerator is being prepared for future deprecation. It will be hidden and no longer activated on new instances, but will continue to be supported. For details, see the Deprecation Process [KB0867184] article in the Now Support knowledge base.

    About this task

    A target assessment runs on a target to identify if it is a data processing activity. If the assessment comes back and the target is identified as high-risk, create a DPIA risk to run a DPIA assessment to determine how the risk can be mitigated.Targets can be created manually or you can generate them automatically by selecting the Generate target check box on the Entity form or the Entity Type form.

    Procedure

    1. Navigate to All > GDPR DPIA > Data Processing Activity > Create Target.
      New target
    2. Fill in the fields, as needed.
      Field Description
      Name Enter the name of the target.
      Owned by Select the owner for this target.
      Description Enter a description that describes the target.
      Active Select this check box to activate the target.
      Entity Select the entity associated with this target. An entity can have only one target associated with it.
      Framework This field defaults to GDPR DPIA.
    3. Do one of the following:
      • To save the data, click Update.
      • To identify the target record as a data processing activity, click here.
      • To modify the list of assessment respondents, click the Preliminary Assessments tab.
      • To perform a preliminary assessment on the target, click Send Assessments.
      • To perform a DPIA assessment on the target, click Generate DPIA.

    Identify a target as a data processing activity

    Identifying a target as a data processing activity is the first step in determining whether a data processing assessment should be performed on the target.

    Before you begin

    Role required: sn_irm_gdpr_dpia.risk_executive or sn_irm_gdpr_dpia.data_processing_officer
    Note:
    Starting with the Rome release, GRC: GDPR DPIA Accelerator is being prepared for future deprecation. It will be hidden and no longer activated on new instances, but will continue to be supported. For details, see the Deprecation Process [KB0867184] article in the Now Support knowledge base.

    Procedure

    1. Navigate to All > GDPR DPIA > Data Processing Activity > All Targets.
      Data Processing Activity - all targets
    2. Select the target record you want to identify as a data processing activity.
    3. Click Update.
      Two related lists appear: GDPR DPIA and GDPR Preliminary Assessment.
      GDPR DPIA related list
    4. On the GDPR DPIA tab, select the Data Processing Activity check box.
    5. Fill in the fields, as needed.
      Field Description
      Approval Status Displays the current status of the approval process.
      Purpose The purpose of the target. Include information such as where the activity is applicable.
      Necessity and proportionality An assessment of the necessity and proportionality of the target in relation to its purpose.
      Known measures Measures for addressing the risk, including safeguards, security measures, and mechanisms to ensure the protection or personal data.
      Evaluation Criteria Click the lock icon and select the criteria to be considered to evaluate whether the target likely results in high-risk. The criteria are:
      • Evaluation or scoring
      • Automated decision-making with legal or similar significant effect
      • Systematic monitoring
      • Sensitive data or data of a highly personal nature
      • Data processed on a large scale
      • Matching or combining datasets
      • Data concerning vulnerable data subjects
      • Innovative use or applying new technological or organizational solutions
      • Preventing data subjects from exercising a right or using a service or contract
      Uses existing DPIA? Select this check box if the target uses a pre-existing DPIA, then click the lock icon and select the DPIAs associated with this target from the list.
      Is advised by Data Processing Officer? Select this check box if the target requires the approval of a Data Processing Officer, then click the lock icon and select the appropriate Data Processing Officer from the list.
      Uses approved Code of Conduct? Select this check box if the target must be compliant with a Code of Conduct when its impact is accessed, then enter the name of the Code of Conduct in the text box.
      Seeks Data Subject views? Select this check box if the target requires that the views of data subjects or their representatives be reviewed, then enter the data subject views in the text box.
      In existence prior to GDPR? Select this check box if the target existed prior to the creation of the GDPR.
      Note:
      The requirement to carry out the DPIA applies to all existing data processing activities that are likely to result in a high risk to the rights and freedoms of natural persons for whom there has been a change of the risks.
      Is of high-risk? Select this check box this is a high-risk target.
      Note:
      Even if there are no indications of likely high risk, consider performing a DPIA assessment for any major data processing activities that involve the use of personal data.
      Note:
      You have two options for filling out the fields on the GDPR DPIA tab. You can manually fill them out yourself as described above, or if you do not know the answers to the questions, you can generate an assessment for someone else who does, and then copy their responses from the assessment to the target form as describe below.
    6. To generate an assessment for another user, perform these steps.
      1. Click the GDPR Preliminary Assessment tab.
      2. In the Assessment Respondents field, click the lock icon and select the user you want to fill out the form.
      3. When you have selected the responder, click the Lock icon again.
      4. Click Send Assessments.

        After the selected user has taken the assessment, a Copy Assessment Responses button appears.

        Copy Assessment Response button
      5. Click Copy Assessment Responses.

        The completed assessment record is shown.

        Copy assessment to target
      6. You can click View Response to view the assessment answers.
      7. Select the record and click Copy.
        The answers provided by the selected respondent are copied to the GDPR DPIA.
    7. When you have completed the fields, do one of the following:
      • To save the data, click Update.
      • To modify the list of assessment respondents, click the Preliminary Assessments tab.
      • To perform a preliminary assessment on the target, click Send Assessments.
      • To generate a DPIA risk and initiate a DPIA assessment on the target, click Generate DPIA.
      • If you selected the Is advised by Data Processing Officer? check box and selected an approver, a Request DPO Approval button appears. Click this button to request approval from the selected approver. All fields on the GDPR DPIA tab become read-only. If further modification is needed, you can click Reset Approval.

    Send a preliminary assessment for a target

    You can initiate a preliminary assessment on a target to determine whether it is deemed to be a high-risk operation and to decide what mitigation procedures are needed. After the preliminary assessment is initiated, the selected assessment respondents can take the assessment.

    Before you begin

    Role required: sn_irm_gdpr_dpia.risk_executive or sn_irm_gdpr_dpia.data_processing_officer
    Note:
    Starting with the Rome release, GRC: GDPR DPIA Accelerator is being prepared for future deprecation. It will be hidden and no longer activated on new instances, but will continue to be supported. For details, see the Deprecation Process [KB0867184] article in the Now Support knowledge base.

    Procedure

    1. Navigate to All > GDPR DPIA > Data Processing Activity > All Targets.
      All Targets
    2. Open the target record you want to perform a preliminary assessment for.
      Framework
    3. Be sure that the Framework field shows GDPR DPIA.
    4. Click the GDPR Preliminary Assessment tab.
      GDPR Preliminary Assessment
    5. Be sure the Assessments field shows GDPR DPIA Targets Assessment.
    6. In the Assessment Respondents field, click the lock icon and select the users you want to take the preliminary assessment for the target.
    7. When you have selected the responders, click the Lock icon again.
    8. Click Send Assessments.
      The assessments are sent to the selected respondents and a message shows the number of assessments created. Also, the Assessments tab shows the assessment records.
      Assessments tab
    9. To request the Data Processing Officer's approval, click the Request DPO Approval related link.
    10. After respondents have responded, you can view their responses by clicking View Responses on the Assessments tab.

    Take a preliminary assessment

    When you have been identified as a respondent of a preliminary assessment, you must access and take the assessment.

    Before you begin

    Role required: None
    Note:
    Starting with the Rome release, GRC: GDPR DPIA Accelerator is being prepared for future deprecation. It will be hidden and no longer activated on new instances, but will continue to be supported. For details, see the Deprecation Process [KB0867184] article in the Now Support knowledge base.

    Procedure

    1. Navigate to All > GDPR DPIA > Data Processing Activity > My Preliminary Assessments.
      All assessments for which you are a requested respondent are shown.
      My Assessments
    2. Open the assessment you want to take.
      Taking an assessment

      The fields are described here.

      Field Description
      Number Auto-generated record number.
      Metric type Metric type of this assessment.
      Due date Date by which the assessment must be completed. The system populates the due date from the value in the metric type Assessment duration field. The system generates email notifications related to the due date.
      Note:
      By default, the system runs the Cancel Expired Assessments script every 30 days to cancel expired survey, assessment, and quiz instances that are in the Work in progress or Ready to take states.
      Expiration date Date by which the assigned user can repeat the assessment.
      State State of the assessment.
      Assigned to User this assessment is assigned to. This field becomes read-only when the state is In progress, Complete, or Canceled.
      Signature result Verification provided by the recipient when a signature is required. This value is either the recipient's full name from the User [sys_user] table or checked, indicating that the recipient acknowledged reading the assertion by selecting a check box.
    3. Click Take Assessment.
      Assessment questions
    4. Answer the questions to the best of your ability, then click Submit.

    View all preliminary assessments

    Risk executives and Data Processing Officers can view the responses from individual assessment takers.

    Before you begin

    Role required: sn_irm_gdpr_dpia.risk_executive or sn_irm_gdpr_dpia.data_processing_officer
    Note:
    Starting with the Rome release, GRC: GDPR DPIA Accelerator is being prepared for future deprecation. It will be hidden and no longer activated on new instances, but will continue to be supported. For details, see the Deprecation Process [KB0867184] article in the Now Support knowledge base.

    Procedure

    1. Navigate to All > GDPR DPIA > Data Processing Activity > All Preliminary Assessments.
      All preliminary assessments
    2. Click the assessment number of the assessment you want to review.
      View user's response link
    3. Click the View User's Response related link.