Problem with Privacy management data structure
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2025 12:46 AM
Hello GRC Forum and fellow GRC implementers!
In a recent implementation we came across this problem with Privacy Management product's OOB data structure and process model, which, I think, weakens its suitability for privacy management in accordance with the EU General Data Protection Regulation (GDPR):
Business requirement:
Under the GDPR, different types of processing require separate documentation, including evaluations of legal bases, purposes, and risks.
In practice, multiple processing activities may relate to the same process, application, or organizational unit — for example, when an application processes personal data of both customers and employees. These represent two different data subject types, and the processing may differ in various ways, such as:
- Purpose of processing: customer relationship management vs. employment management
- Types of data: purchase history vs. payroll data
- Legal bases: consent vs. employment contract
- Recipients: marketing partners vs. payroll service providers
Problem with OOB Privacy management product:
A single processing activity can only be linked to one entity, and an entity cannot be associated with multiple processing activities. This data structure is overly simplified in relation to the accountability and documentation requirements under the GDPR.
In the example above: The application would be an Entity record and the requirement would be to have separate Processing activity records (separate for handling customer and employee information) associated to Entity. Both Processing activity records hold different information and have different Risks, so the requirement is to assess and evaluate these as separate Processing activity records.
The way I see this,
the solution is either
1. to enable multiple Processing activities associated per single Entity (requires quite a lot of changes to OOB logic)
or
2.to have additional Entity records created for Privacy management purposes (not a fan of this solution as Entities are used across all GRC Processes and I think the best practice is to have a single Entity record represent a single CI).
What are your thoughts or experiences to resolve this problem?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2025 02:11 AM
I just happened to read the Zurich release notes for Privacy management and this problem might already be addressed there.
https://www.servicenow.com/docs/bundle/zurich-release-notes/page/release-notes/governance-risk-compl...
- Classify data subjects so that you can select and define multiple data subject types. You can get a realistic, granular, and scalable representation of your processing activities.
I will have to investigate on that a bit to see how it affects this problem.
