"So do you want to flag the entities or is it about Risks, responibilities and mitigation?"
Here is the link to solution overview to get the general idea of the process.
https://www.servicenow.com/docs/bundle/yokohama-governance-risk-compliance/page/product/grc-privacy-...

Trying to put it briefly:
Basically you gather information via different Privacy assessments from Users (usually the Entity owner) and the output of these assessments is
-Privacy screening assessment: does the assessed Entity process any kind of Personal Information (if yes, the Entity would get flagged Functional domain= Privacy and a Processing activity associated to Entity record would get created for subsequent steps)  and who are the contact users for these
-Privacy Impact assessment:
A.You gather all the required information about the personal information being processed (types of personal information, categorisation, upstream and dowstream data flow etc.)
B.Identifying relevant Risks and Controls from Privacy management point of view (based on assessment answers) and managing them accordingly via Risk and Compliance processes

So the Privacy management's Processing activity record is a whole thing of it's own and is the single point of entry for Privacy managers and analysts. But the process and data structure also leverages the common GRC tables and processes.

The main goal to resolve is that it is common that there multiple separate sets of data (in my example case two separate Data subject types: employees and customers) that need to gathered, assessed and tracked separately using the Processing activity records and following the Pricacy management process. 
As OOB there is a one-to-one limitation set for the Entity-Processing activity relation and there is no meaningful way of handling multiple separate sets of data under a single Processing actitivy record.