Entity scoping to plan a privacy program

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Entity scoping to plan a privacy program

    Entity scoping is the foundational step a privacy manager takes to plan an organization's privacy program by identifying business applications or processes (called entities) that handle personal data. This process enables privacy managers, assigned thesnprivacymanagerrole, to effectively plan and manage privacy programs such as recognizing business processes and vendors processing customer or employee personal data.

    Show full answer Show less

    The inventory of business processes, applications, vendors, and services resides within Configuration Management Database (CMDB) tables and is maintained by respective business owners.

    Methods to Identify Entities Processing Personal Data

    • Discover processing activities by their usage of personal information: By mapping business processes or applications with information objects classified as Personal Information (PI) in the CMDB, privacy managers can filter and identify entities processing specific personal data. This method leverages enhanced entity filter capabilities to scope entities related to PI.
    • Send initial privacy assessments: If no PI mapping exists, privacy managers can create entity types (e.g., business processes handling customer data), select relevant entities, and send privacy screening assessments to entity owners. Responses help determine if personal data processing occurs, triggering automatic creation of processing activities when applicable.

    Practical Use for ServiceNow Customers

    ServiceNow customers can utilize these entity scoping methods within the Governance, Risk, and Compliance (GRC) application and the CMDB to:

    • Systematically identify and manage entities processing personal data
    • Leverage existing CMDB data and information object mappings to streamline privacy program planning
    • Engage entity owners through assessments to fill gaps in data mapping and confirm processing activities
    • Ensure that only entities with personal information appear in privacy-related application views, improving focus and reporting accuracy

    Key Outcomes

    • Clear identification of business applications and processes handling personal data
    • Automatic creation of processing activities based on data mappings or assessment responses
    • Improved inventory management of privacy-relevant entities supported by CMDB integration
    • Enhanced ability to plan and execute privacy programs aligned with organizational data processing activities

    When a privacy manager plans the privacy program for an organization, the first step is to scope those business applications or processes that contain personal data. In Governance, Risk, and Compliance, these business applications or business processes are called as entities. After you identify the entities processing personal data, the processing activities are automatically created.

    A privacy manager, with the role sn_privacy_manager, plans various privacy programs. Some examples of the privacy programs are:
    • Identifying all the business processes and vendors that process personal data of customers.
    • Identifying business applications that process personal data of employees.
    All the inventory related to business processes, applications, vendors, or business services is stored in the respective Configuration Management Database (CMDB) tables. The respective business owners manage this inventory.
    You can identify or discover entities that process personal data by using one of the following methods.
    • Filtering the entities either by discovering the processing activities by their usage of personal information.
    • Sending initial privacy assessments.
    Both these methods are explained in the following sections.
    Discover processing activities by their usage of personal information
    At an inventory level, when business processes, business applications, and other inventory records are mapped with information objects of type Personal information (PI), the privacy manager can discover those records that process specific PI information. For details about information objects and their role in Privacy Management, see Information objects in Privacy Management.
    The following image shows a business process with information objects associated with it. To identify such business applications or processes associated with information objects, the enhanced entity filter capability in the entity scoping functionality is used. For more information, see Scope entities to discover processing activities with personal information.
    Figure 1. Business process with associated information objects
    Business process with information objects associated with it.
    Identify potential entities and sending initial privacy assessments
    If the information objects are not mapped to the business applications or processes, you can send initial privacy assessments to all the entities and use their responses to determine if personal data is being processed. The steps to send the assessment are as follows:
    1. Create an Entity type. For example, Business processes that process customer personal information or Business applications that store employee information.
    2. Identify entities using Entity Type you created.
    3. Select the relevant entities and send privacy screening assessments to the respective entity owners.
    4. Based on the responses, processing activities are created automatically when relevant questions are answered.
    Figure 2. Sending privacy assessments to entities
    Send privacy assessments to entities to determine personal data.
    After the entities are scoped, then, in the applications, only those entities appear that contain personal information.