GDPR DPIA Use Case Accelerator

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of GDPR DPIA Use Case Accelerator

    The ServiceNow® GDPR DPIA Use Case Accelerator enables organizations to conduct data protection impact assessments (DPIAs) to safeguard personal data in compliance with the General Data Protection Regulation (GDPR). However, it is important to note that this accelerator is now deprecated and unsupported for new activation. It provides a structured approach for assessing data processing operations, identifying risks, and implementing necessary mitigation measures.

    Show full answer Show less

    Key Features

    • Preliminary Assessments: Evaluates data processing operations to identify high-risk operations and determine required mitigation procedures.
    • DPIA Assessments: Conducted for identified high-risk operations, utilizing the Risk Management application for risk evaluation.
    • Target Creation: Allows manual or automatic generation of targets representing data processing activities.
    • Dashboard and Reporting: Provides an overview dashboard for executives to assess risks and progress in real-time.
    • Risk Management Integration: Facilitates recording and tracking of identified risks through the Risk Register and Risk Assessments modules.

    Key Outcomes

    By utilizing the GDPR DPIA Use Case Accelerator, organizations can ensure compliance with GDPR requirements by effectively identifying and mitigating risks associated with data processing operations. This structured approach aids in safeguarding personal data, demonstrating compliance, and enhancing overall data protection strategies.

    The General Data Protection Regulation (GDPR) is a regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU).

    Note:
    GRC: GDPR DPIA Accelerator is now deprecated and no longer supported or available for new activation. For details, see the Deprecation Process [KB0867184] article in the Now Support knowledge base.

    GDPR DPIA Use Case Accelerator in a nutshell

    The ServiceNow® GDPR DPIA Use Case Accelerator allows you to perform data protection impact assessments (DPIA) to protect the personal data of individuals within and outside of the EU. The following diagram and steps describe the flow of the GDPR DPIA Use Case Accelerator system.


    GDPR DPIA use case accelerator flow
    1. A target refers to the association between an entity and a data processing activity. Targets can be created manually or you can generate them automatically by selecting the Generate target check box on the entity screen.
    2. A preliminary assessment can be performed on a target to determine whether it is deemed to be a high-risk operation and to decide what mitigation procedures are needed.
    3. Based on the findings of the preliminary assessment, you can create a DPIA risk to perform a GDPR DPIA assessment. Risk executives and Data Processing Officers can view the progress of the assessment and view responses from individual assessment takers.
    4. If an assessment respondent selected mitigation measures in the assessment, a Risk Mitigation task is created after the assessment has been completed.
    5. The GDPR DPIA Use Case Accelerator overview dashboard provides an executive view into various data points, such as risks, assessments, and risk mitigation measures, helping the GDPR DPIA GDPR DPIA executives and officers pinpoint areas of concern quickly.

    Assessments performed using the GDPR DPIA Use Case Accelerator

    Two types of assessments can be performed: preliminary assessments and GDPR DPIA assessments.

    Preliminary assessments (also known as GDPR DPIA target assessments): Preliminary assessments are carried out directly on a data processing operation Target. A target contains information that is shared between ServiceNow Governance, Risk, and Compliance applications and use case accelerator applications, including the GDPR DPIA Use Case Accelerator. The target helps evaluate certain key characteristics of the data processing operation, such as its purpose, necessity, and evaluation criteria, and the preliminary assessment helps users arrive at a conclusion and then determine mitigation procedures when the data processing operation is deemed to be a high-risk operation.

    GDPR DPIA assessments: DPIA assessments are typically performed for high-risk data processing operations; that is, for targets. However, DPIA assessments are not directly evaluated on the targets. They are instead evaluated using the risk assessment functionality provided in the Risk Management application. The DPIA assessments are referred to in the GDPR DPIA Use Case Accelerator context as DPIA Risk.

    As an outcome of a preliminary assessment, risk executives can create risks. These are the actual risks that were identified from the evaluation of the target from the preliminary assessment. While it is encouraged risk executives leverage the Risk Management application for recording such risks, they can also record them using the GDPR DPIA Use Case Accelerator application, as described in this section.
    Note:
    Two types of content are enabled by the GDPR DPIA Use Case Accelerator application: Core content and Demo content. Core content is directly accessible by the modules you configure in GDPR DPIA > Content. Demo content is indirectly accessible by the applications in the GRC product suite. Both Core content and Demo content can be viewed using the dashboards and reports.

    Who uses the GDPR DPIA Use Case Accelerator

    Persona Description
    Data Protection Officer Ensures that an organization applies the laws protecting the personal data of individuals. The designation, position, and tasks of a DPO within an organization are described in Articles 37, 38, and 39 of the EU General Data Protection Regulation.
    Risk Executive Ensures that risks are identified and managed consistently across the organization. Facilitates the data protection impact assessments as per the organization's strategy.
    Governance, Risk, and Compliance admin

    Provides access to all applications under GDPR > Administration.

    GDPR DPIA Use Case Accelerator supporting concepts

    Familiarize yourself with these concepts, developed from the GDPR DPIA guidance.
    Concept Description
    Data Processing Operation (or Activity)

    Processing covers a wide range of operations performed on personal data. It includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data.

    The GDPR applies to the processing of personal data wholly or partly by automated means, as well as to non-automated processing if it is part of a structured filing system.

    A Data Processing Operation (or Activity) in a GDPR DPIA application is a Target (explained below) that is precisely defined for representing a processing operation as described in the GDPR regulation.
    Data Protection Impact Assessment (DPIA)

    A DPIA is an assessment of the impact of data processing operations on the protection of personal data, and more particularly, an assessment of the likelihood and severity of risks for the rights and freedoms of individuals resulting from a processing operation. Under the GDPR, controllers are required to perform DPIA assessments prior to executing a data processing operation that is likely to result in high risk for the rights and freedoms of individuals.

    DPIA is a risk assessment in the GDPR DPIA application. The DPIA Register modules facilitate creation, execution, and tracking of the DPIA assessments using the ServiceNow® Risk Management application. A DPIA assessment is initiated in Risk Management and its base system workflow helps drive the DPIA assessment to leverage standard risk assessment features.
    General Data Protection Regulation (GDPR)

    This regulation protects natural persons for the processing of personal data and the free movement of such data. It repeals Directive 95/46/EC (Data Protection Directive).

    The GDPR DPIA Use Case Accelerator application supports DPIA and provides a structured approach to conducting assessments.
    High-Risk Processing Operation (or Activity)

    This is a processing operation assessed to have a high likelihood and severity of harm and is likely to result in a high risk to the rights and freedoms of natural person. Usually, organizations make a pre-determination (that is, prior to executing a DPIA assessment) if a data processing operation is high-risk based on several factors that are specific to the organization and the nature of their services. DPIAs are usually performed after such a pre-determination.

    A Data Processing Operation (or Activity) in the GDPR DPIA Use Case Accelerator application is referred to as a Target. A Target can be flagged as “high-risk” to indicate it’s a high-risk processing operation.
    Risk
    GDPR outlines various components of the DPIA which overlap with well-defined components of risk management. In risk management terms, a DPIA aims at “managing risks” to the rights and freedoms of natural persons, using the following processes, by:
    • establishing the context: “taking into account the nature, scope, context and purposes of the processing and the sources of the risk”
    • assessing the risks: “assess the particular likelihood and severity of the high risk”
    • treating the risks: “mitigating that risk” and “ensuring the protection of personal data”, and “demonstrating compliance with this regulation”

    To facilitate logging of the risks as an outcome of the DPIA assessment, the GDPR DPIA Use Case Accelerator application provides Risk Register and Risk Assessments modules.
    Target The target is the foundation of the GDPR DPIA Use Case Accelerator and all related concepts.

    The target is a shared table between the ServiceNow® GRC products and several use case accelerators. They are similar to the concept of entities in the core GRC applications. They are optionally linked to entities, but are used for any attributes that are specific to the use case accelerators.