Smart assessments in Privacy Management

  • Release version: Zurich
  • Updated March 12, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Smart assessments in Privacy Management

    Smart assessments in Privacy Management, enabled by the Smart Assessment Engine (SAE), facilitate privacy screening and privacy impact assessments to gather essential data for privacy teams. These assessments are critical for determining privacy risks and managing personal data processing activities within your organization.

    Show full answer Show less

    There are two main types of assessments:

    • Privacy Screening Assessment: A high-level evaluation to decide if a processing activity involves personal data and whether a detailed privacy review like a Privacy Impact Assessment (PIA) is required.
    • Privacy Impact Assessment: A detailed analysis of how business applications, systems, or processes affect personal data privacy, assessing risks and identifying mitigation measures.

    Key Features

    • Smart Assessment Engine Application: Enables configuration of assessment templates, workflows, question guidance, and review with actionable insights. Activation requires enabling the snprivacy.enablesmartassessment system property.
    • Enhanced Data Capture: Automatically collects all necessary details during assessments, including data flow hierarchies and lawful basis for processing, reducing manual data entry.
    • Configurable Templates: The Zurich release introduces recommended [V4] templates for both Privacy Screening and Privacy Impact Assessments, supporting logical question grouping, inline guidance, reassignment of assessments, and migration from older systems.
    • Automations: Screening assessment templates include automation rules using Workflow Studio to streamline processing activity creation, risk statements, and control objectives application based on user responses, ensuring consistency and reducing errors.
    • Assessment Review: Privacy analysts and managers can review assessments, request revisions, or approve them. They can view identified information objects, data hierarchy, and related risk and control outcomes during review.

    Practical Benefits for ServiceNow Customers

    • Efficiently determine if a detailed privacy assessment is needed, accelerating privacy compliance workflows.
    • Gain comprehensive visibility into personal data flows and associated risks, supporting informed decision-making.
    • Leverage automated risk and control application to improve accuracy and reduce manual effort in privacy risk management.
    • Utilize modern, configurable templates and workflows that align with Zurich release capabilities, ensuring best practices and easier adoption.
    • Streamline privacy assessment reviews with clear visibility into outcomes, enabling prompt and effective privacy risk mitigation.

    Next Steps

    To implement and optimize smart assessments:

    • Enable the Smart Assessment Engine system property (snprivacy.enablesmartassessment).
    • Adopt the Privacy Screening Assessment [V4] and Privacy Impact Assessment [V4] templates for new assessments.
    • Configure automation rules within screening templates to automate risk and control assignments.
    • Train privacy teams to review assessments using the information objects, data hierarchies, and outcomes tabs for thorough evaluations.

    The new and improved assessment experience in Privacy Management uses the Smart Assessment Engine (SAE) application. The assessment engine enables you to perform privacy screening and privacy impact assessments to collect the necessary information for the privacy teams.

    In Privacy Management, assessments play an important role. There are two types of assessments.
    • Privacy screening assessment: A privacy screening assessment is a preliminary evaluation used to determine whether a processing activity involves personal data and whether it may pose privacy risks. It’s a high-level review conducted to identify whether a more detailed privacy review, such as a privacy impact assessment (PIA), is necessary. For example, when a new business application or process is created, the privacy teams must understand if the application or the business process processes personal data or not. To determine this, the screening assessments are sent to the business application or business process owners. After the assessment is approved by the privacy manager, a processing activity is created.
    • Privacy impact assessment: After a screening assessment is performed, based on the responses, a privacy impact assessment may be generated. A Privacy impact assessment is a comprehensive evaluation of how a business application, system, or process affects personal data privacy. It assesses the privacy risks associated with processing activities and identifies measures to mitigate these risks. Each time a privacy impact assessment is performed, the risks are revisited to determine if the risk score changed. This helps the privacy teams remain vigilant and address the risks as required.
    To perform these assessments, you can use the Smart Assessment Engine application. This application provides several benefits such as configuration of templates, workflows, guidance for questions, and reviewing of assessment results with actionable insights. For more information about the Smart Assessment Engine application, refer to Exploring Smart Assessment Engine.
    Note:
    To use Smart Assessment Engine, you must enable the sn_privacy.enable_smart_assessment property that is located under system properties.

    Benefits of using the new assessment experience

    The new assessment experience offers the following benefits.
    • Capture all the required information during the assessment eliminating the need for manually adding details to the processing activity.
    • Capture the hierarchy or flow of data and specify where the data is coming from and where is the data going.
    • Collect the lawful basis of collecting and processing data.
    • Create multiple sections for logical grouping of questions
    • Migrate assessments from older systems.
    • Provide inline guidance for questions.
    • Reassign the assessment to the correct responder.
    • Create highly configurable templates.

    Types of assessment templates

    To perform the screening and the impact assessments, you require assessment templates. While the assessment templates are based on the Smart Assessment Engine, there are some additional configurations provided for the users of Privacy Management.

    Starting with the Zurich release, two assessment templates, Privacy Screening Assessment [V4] and Privacy Impact Assessment [V4] are provided to perform smart assessments. Privacy Screening Assessment [V3] and Privacy Impact Assessment [V3] templates are also available. Some important differences between these templates and the additional configurations are explained as follows.
    Note:
    [V4] templates are the recommended starting point for new implementations.
    Privacy screening assessment

    Starting with the Zurich release, a new template for Privacy screening assessment (Privacy Screening Assessment [V4]) is available.

    For a screening assessment template, there are three sections:
    • General: In this section, you specify the assessment template category as Privacy category and also specify the assessment targets. For a screening assessment, the assessment targets are entities and privacy tasks.
    • Questions: This section contains questions for the assessment responders. This section also contains data elements which are single units of information that represent a specific attribute or characteristic about a data subject or entity. Examples of data elements are name, email address, date of birth, and so on. In this section, you’ll also find a section titled Criticality factors and these questions are used to calculate the criticality score.
    • Automations: In this section, you can define the rules that allow the automatic creation of processing activities based on the responses to questions. This section uses Workflow Studio. These automations are mapped to their relevant questions. Automation streamlines various processes, including the application of risk statements and control objectives based on user responses. When users select specific responses during an assessment, the system automatically applies the appropriate risks and controls to the relevant records. For example, consider an organizational policy stating that personal data can only be transferred outside the EU with explicit consent. During an assessment, if a user indicates that data is being transferred outside the EU, the system will automatically apply the Data Transfer risk to the processing activity: Assign Explicit Consent as a control to mitigate the identified risk. This automation ensures consistency, saves time, and reduces the likelihood of human error in managing risks and controls.
    For detailed information on how to configure a screening assessment template, see Configure smart assessment templates for screening assessments.
    Figure 1. Privacy screening assessment
    Privacy screening assessment page.
    Privacy impact assessment

    Starting with the Zurich release, a new template for Privacy impact assessment (Privacy Impact Assessment [V4]) is available.

    For a privacy impact assessment template, like the screening assessment template, you have the Overview and Details sections, and while by default, the Automations section is present, it does not contain any predefined automations. You can add automations if you require them. For an impact assessment template, apart from the questionnaire, you can add the personal data elements. For detailed information on how to configure an impact assessment template, see Configure smart assessment templates for impact assessments.
    Figure 2. Privacy impact assessment screen
    Privacy impact assessment landing page.
    Note:
    Only published templates are available for assessments.

    Review of an assessment

    When privacy analysts receive an assessment, they review the assessment. During the review, they can either request for a revision of the assessment or directly approve it. During the Review state, the privacy managers can view the following items:
    • Information objects: The information objects tab displays the information objects identified as part of the screening assessment.
    • Hierarchy: The hierarchy of where data comes from and where it goes.
    • Outcomes: The outcomes tab displays the risk statement and the control objectives associated with the assessment.