Combined Privacy Management release notes for upgrades from Xanadu to Zurich

How to use this page

To help you prepare for your upgrade, we have combined the cross-family Privacy Management release notes onto one page. Read this summary of the new features, changes, and updated information for your product from Xanadu to Zurich.

Tip:

If there were no updates for a release notes section in a certain family release, we included a short note for your reference. For example, if a product did not have any updates in Tokyo, the row says "No updates for this release."

Important information for upgrading Privacy Management to Zurich

Before you upgrade to Zurich, review these pre- and post-upgrade tasks and complete the tasks as needed.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich	No updates for this release.

New features

Between your current release family and Zurich, new features were introduced for Privacy Management.


Release	Release notes
Xanadu	Personal Data Rights Use the Personal Data Rights application that provides configurable workflows to manage and automate personal data rights requests efficiently, reducing the risk of non-compliance. The Personal Data Rights application enables customers to efficiently manage and fulfill Data Subject Access Requests (DSARs), consumer rights requests, and so on, ensuring compliance with privacy regulations. The application helps organizations to handle requests related to the personal data rights of their consumers while ensuring that employees can maintain data protection standards globally. Create data lineage Establish a data lineage to understand how data is being consumed and shared in a given processing activity. Creating a data lineage also helps you to understand and manage the associated risks for the data being shared. This feature provides a visual representation of data lineage or hierarchy. Create a regulatory agency Create regulatory agencies in the Privacy Workspace to identify the relevant regulatory authorities that are responsible for overseeing the businesses in the public interest. The centralized library consolidates all regulatory communication via emails. Collaborate and chat with cross-functional teams for processing activities, privacy cases, privacy assessments, and personal data rights requests Initiate quick discussions with key stakeholders while working on a processing activity, privacy case, or a personal data rights request. The chat feature is integrated with Microsoft Teams and a group is automatically created on Microsoft Teams when a discussion is initiated. The chat conversations that take place using the Discuss button are stored in the respective record making it simpler for the privacy teams to refer to them when working on a task. View smart attestations on the processing activities Use the Smart Assessment Engine feature to respond to attestations. View the reports of the new control attestations on the landing pages of the privacy analyst and the privacy manager. Utilize the filter in the Attestations report to select if you want to view the classic attestations or the new attestations. Changes in roles with the Privacy Employee user application Note: Only applicable to the customers with the GRC Privacy Employee User application (sn_privacy_emp) installed. When you install the new GRC Privacy Employee User application and assign the sn_privacy_emp.privacy_employee role to your employees, the role enables your employees to perform the following operations from the Employee Center: Proactively request privacy impact assessments (PIAs) for new implementations, applications, and processes from the Employee Center. Report privacy cases related to data privacy policy and regulatory violations. Read and acknowledge organizational privacy policies. Create policy exceptions. Create privacy issues. Changes in roles with the GRC: Privacy Lite User application If the GRC: Privacy Lite User application (sn_privacy_lite) is installed, the following roles are considered as lite operators: sn_privacy.business_user sn_privacy.assessment_responder sn_privacy_case.privacy_case_business_user sn_grc_pdr.data_owner_admin Users with the lite operator role can do the following: Respond to privacy assessment tasks as business users. Respond to the processing activity's criticality risk assessments and object-based assessment. View, update, and close assigned issues. Respond to the assigned control attestations. Respond to the assigned manual indicator tasks. Create, update, and close assigned remediation tasks. Work on the processing activity as a business user when it’s assigned to you to collect the required details. Work on breach assessments and other privacy case tasks. Respond to the detailed privacy risk assessments on each risk identified on a processing activity. Respond to the assessment and investigation tasks assigned by the privacy team. Work on personal data rights action tasks to handle data according to the requester's requests.
Yokohama	[Placeholder link text to key bundle-grc.configure-criticality-factors] Leverage criticality factors to evaluate the initial risks associated with processing activities. Integrate these factors into privacy assessments and automatically generate a criticality score upon assessment approval. These factors are also added to processing activities, enabling you to make updates at any time. Integrating these factors in a privacy assessment eliminates the need for a separate criticality assessment. This consolidation reduces the workload for the privacy teams. Smart assessments Use the new and improved assessment experience that enables: capturing the data elements, the information object attributes, hierarchies building the assessment questionnaire This new experience enables responders to update all the necessary details within the assessments, eliminating the need to update the processing activity separately. Configure categories Implement Information object categories to tag and classify information objects effectively. For example, attributes like iris scans and fingerprints are often referred to as biometric data, or email addresses and phone numbers can be tagged as contact information. Information object categories enable you to categorize these information objects under these broader classifications. This approach is useful in the following ways: Enhances compliance with regulations such as GDPR, CCPA, and so on by accurately capturing and tracking required data categories. Improves clarity for business users, ensuring they can easily identify and work with terms they’re familiar with while adhering to regulatory standards. Streamlines data governance by creating a structured framework that supports both regulatory needs and business operations. Smart assessment for privacy case management action tasks Use the new assessment experience of Smart Assessment Engine for privacy case action tasks. Only when an action task moves from the Draft to the Assigned state, the assessment can be sent. To use the smart assessment, a new property called enable_smart_assessments (sn_grc_case_mgmt.enable_smart_assessments) is introduced with the default value as true.
Zurich	Data subjects Select and define the multiple data subject types for each processing activity. You can capture the volume of data subjects that were processed, the specific data elements that were collected from the users, and the user locations. With this feature, you get a realistic, granular, and scalable representation of your processing activities. Privacy management dashboard Get an overview of your complete privacy risk and compliance posture from the Privacy Management dashboard so that you can quickly prioritize and remediate your processing activities. By looking at the Processing Activities, Risk & Compliance, and Operations & Case management sections, you can see the overall compliance score, trends, privacy criticality assessment scores, and risk heatmap. From the dashboard, you can also see information about the global legal framework to understand the regional obligations and the built-in risk metrics that automatically assess each processing activity. New screening and PIA templates Use the new Privacy Impact Assessments (PIAs) and Screening Assessment templates that provide standardized questions, evaluation criteria, and workflows so that you can perform a processing activity criticality and privacy risk assessment. With these new templates, you can ensure consistency, reduce manual effort, and support compliance with regulatory and organizational requirements.

Changes

Between your current release family and Zurich, some changes were made to existing Privacy Management features.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	Tagging of information object tags Use the Data classification field to tag information objects instead of using the tag icon. Initiating privacy assessment When you initiate a privacy assessment from either an entity or a processing activity, you’re no longer redirected to the Create new privacy assessment form, instead, a new pop-up window appears where you can specify all the assessment details.
Zurich	Zurich Patch 4 Zurich Patch 1 Processing activity tab The revamped Processing Activity overview page provides a unified dashboard that displays key compliance and risk metrics, such as risk scores, compliance scores, and criticality scores. This update makes it easier for privacy managers and analysts to assess the status of each processing activity, track open issues, and prioritize actions. Layout for processing activity record view The vertical layout of a processing activity enables you to see the information in a top-down linear flow. With this layout, you can see the sequential representation of a data processing workflow. Privacy management home page The enhanced Privacy Management home page now has dedicated tabs for Processing Activity, Risk and compliance, Operations, and Privacy Cases. This updated layout helps to improve readability by organizing your reports into clearly defined sections.

Removed

Between your current release family and Zurich, some Privacy Management features or functionality were removed.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich	No updates for this release.

Deprecations

Between your current release family and Zurich, some Privacy Management features or functionality were deprecated.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich	No updates for this release.

Activation information

Review information on how to activate Privacy Management.


Release	Release notes
Xanadu	Install Privacy Management by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Yokohama	Install Privacy Management by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.
Zurich	Install Privacy Management by requesting it from the ServiceNow Store.

Additional requirements

If any additional requirements were introduced or changed for Privacy Management we have noted them here.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich	No updates for this release.

Browser requirements

If any specific browser requirements were introduced or changed for Privacy Management we have noted them here.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich	No updates for this release.

Accessibility information

Review details on accessibility information for Privacy Management, such as specific requirements or compliance levels.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich

Localization information

If there are specific localization considerations for Privacy Management we have noted them here.


Release	Release notes
Xanadu	No updates for this release.
Yokohama	No updates for this release.
Zurich	No updates for this release.

Highlight information

If there are specific highlight considerations for Privacy Management we have noted them here.


Release	Release notes
Xanadu	Use the Personal Data Rights application to manage personal data rights requests from your customers or consumers, and employees in compliance with global privacy regulations. Establish a data lineage to visualize data consumption, sharing, and the associated risks for a processing activity. Use the Smart Assessment Engine to respond to and view new control attestations related to your processing activity. Create a regulatory agency library to store and access regulatory details, including correspondence with the regulators. Initiate chats from privacy assessments, processing activities, privacy cases, and personal data rights requests to collaborate with various teams to ensure quick responses. See Explore for more information.
Yokohama	Integrate criticality factors into assessments and processing activities thereby simplifying the assessment process, and reducing the workload for privacy teams. Use the Smart Assessment Engine to capture details regarding information objects and hierarchies, updating all details within the assessments and eliminating the need to separately update processing activities. Implement information Object (IO) categories such as biometric data, to align with regulatory classifications and bridge the gap between requirements and user understanding. Empower privacy case analysts to perform assessments on privacy cases using the Smart Assessment Engine See Privacy Management for more information.
Zurich	A new external Personal data rights (PDR) request form enables customers, ex-employees, and third parties to submit PDR requests from a website with email verification. Access Control by Legal Entity feature enables teams to access only processing activities relevant to their legal entity, maintaining privacy by design principle. Now Assist for Privacy Management plugin uses Generative AI to streamline privacy workflows by summarizing assessments, condensing issues, and merging control objectives. Reporting privacy incidents through email feature enables employees to report privacy incidents directly through email. Impacted and related areas configuration allows privacy case managers to add custom business area types to privacy cases for better context. Revamped Processing Activity overview page provides a unified dashboard showing key compliance and risk metrics for processing activities. See Privacy Management for more information.