Privacy Management solution overview

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Privacy Management Solution Overview

    The Privacy Management solution offers a comprehensive framework for managing privacy-related libraries, including citations, policies, risk statements, and assessments. This solution enables organizations to track privacy risk and compliance through processing activity records. Proper setup of privacy libraries is essential before launching a privacy program, aligning them with applicable regulations.

    Show full answer Show less

    Key Features

    • Create a Library: Privacy managers and administrators can establish libraries for privacy impact assessments, personal information objects, and privacy regulations.
    • Discover Inventory: Managers can identify and document business processes, applications, and vendors that handle personal data using the Configuration Management Database (CMDB).
    • Processing Activities: Two methods are available for creating processing activity records: searching for associated entities or sending privacy screening assessments to business owners.
    • Manage and Update Processing Activities: Privacy analysts can send and initiate privacy impact assessments (PIAs) to gather critical information on how personal information is processed.
    • Apply Risks and Controls: Based on PIAs, necessary controls and policies are automatically applied to processing activities, with options for review and adjustment.
    • Control Attestations: Control attestations are sent to business owners for evidence collection, which helps identify compliant and non-compliant controls.
    • Monitor and Manage Issues: Non-compliant controls trigger automatic issue creation, which can be resolved or raised as policy exceptions.
    • Continuous Monitoring: Privacy analysts can monitor controls continuously using indicator functionality.
    • Assess Criticality: A criticality score evaluates the risk posture of processing activities, determining the need for detailed privacy risk assessments.
    • Privacy Risk Assessments: In-depth assessments can be conducted to evaluate risks associated with processing activities, with results visualized on a risk heatmap.

    Key Outcomes

    Implementing the Privacy Management solution enables organizations to effectively manage privacy compliance, identify risks, and maintain oversight of personal data processing activities. By establishing a structured approach to privacy management, businesses can improve their compliance posture and proactively address privacy concerns.

    The Privacy Management solution provides you a framework to manage your privacy-specific libraries such as citations, policies, control objectives, risk statements, privacy impact assessments and privacy risk assessments. It also provides processing activity records to track the privacy risk and compliance posture for a business application or a business process by applying and monitoring the relevant risks and controls.

    Before planning your privacy program, ensure that you set up the privacy libraries according to the privacy regulations that you plan to implement. For more information on the library setup, refer to Manage the Privacy Management library.

    The following figure demonstrates the Privacy Management solution.
    Figure 1. Privacy management solution overview
    Privacy management solution overview.

    The Privacy Management solution is described as follows.

    Create a library

    As a privacy manager, with the role sn_privacy.manager, or privacy administrator, with the role, sn_privacy.admin, you must set up your libraries using the following.
    • Privacy impact assessments
    • Personal information objects
    • Privacy regulations, authority documents, citations, and control objectives.
    • Privacy policies and procedures
    • Privacy risk statements

    Privacy impact assessments

    1. Discover inventory: As a privacy manager, with the role sn_privacy.manager, identify or discover the inventory such as business processes, business applications, vendors, and business services that process personal data. All such inventory is stored in the respective Configuration Management Database (CMDB) tables. The respective business owners manage the inventory. As a privacy manager, use the Entity types feature and create an entity for each inventory record. For more information about entity types, see Exploring the entities. At this stage, based on the discovery method, you can use one of the following approaches to create processing activities.
      1. Search business processes or applications that process personal data: Use this approach when business processes, applications, services, or vendors are associated with information objects. Using the entity type functionality, search for entities that process [PI] Information objects. Based on the search results, directly create the processing activity records. This approach is used only when the business owners associate the inventory with information objects. For more information, see Entity scoping to plan a privacy program.
      2. Send privacy screening assessments: Use this approach when information objects are not associated with the inventory such as business applications and processes. In this approach, send privacy screening assessments to the respective business owners. These screening assessments contain basic questions. Some examples of the questions are as follows:
        • Are you processing personal information as a part of the business process or application that you own?
        • What kind of personal information you are processing? For example, email, phone, and address.
        If the assessment responses determine that there is personal data, processing activities are created automatically.
    2. Business users can proactively submit privacy impact assessments for new applications and processes from the Employee Center.

    Manage and update the processing activities

    1. Create or update a processing activity: As a privacy analyst, with the role sn_privacy.analyst, send a privacy impact assessment (PIA) to the processing activity or business owners after a processing activity is created. The privacy impact assessment helps to understand why and how the processing activity processes personal information. The assessment collects information such as justification for storing PI data, exchange of PI data with other systems, and the security of PI data.
    2. Send or automatically initiate PIA: As a privacy analyst, send a privacy impact assessment (PIA) from a processing activity whenever you must collect more information. Alternatively, you can also automatically initiate the assessments based on the privacy program frequency defined by the privacy manager and the privacy administrator. An auto-initiate schedule can be created using the ServiceNow AI Platform capabilities.
    3. Apply risks and controls related to the processing activity: As a privacy analyst, after you understand how personal information is being used in the processing activity, the necessary risk statements, controls, policies, and authority documents are automatically applied to the processing activities based on the assessment responses. For more information on how to configure assessments, see Create an assessment template. After the controls are added, the privacy analyst can review the controls and add or remove the controls as necessary.
    4. Send control attestations: After the final set of controls is associated with the processing activity, the control attestations are sent to the business process owners or the application owners to collect the evidence for every control that is applied. When the business owners respond to control attestations with evidence for each control, compliant and non-compliant controls are identified. This identification determines the compliance posture of the processing activity.
    5. Report and monitor issues: Issues are created automatically for non-compliant controls and are assigned to their respective business owners. The privacy analyst monitors the issues.
    6. Manage issues: To manage issues, business owners can do one of the following:
      • Resolve the issue: Resolving the issue makes the control compliant.
      • Raise a policy exception: An exception is raised for an issue that cannot be resolved immediately. Privacy analysts can review the policy exceptions and can either accept or reject the exceptions based on the criticality of the issue.
    7. Continuous control monitoring: Privacy analysts continuously monitor the controls on a processing activity using the indicator functionality. For more information about indicators, see Risk indicators, control indicators, and indicator templates.

    Assess the criticality of processing activities

    The criticality score provides the risk posture at the processing activity level by assessing the factors at processing activity-level. When a processing activity is created or updated, a criticality assessment is performed on the processing activity to understand the high-level risk score or the criticality score.

    Perform privacy risk assessments

    Privacy risk assessments are detailed assessments that are conducted if the criticality score is high. Assess each risk that is associated with the processing activity and know the aggregated risk score on the processing activity. After you assess the privacy risks, you can view the privacy risk posture on the risk heatmap in the overview section. The heatmaps provide detailed information about your inherent and residual risks.