Entity scoping to plan a privacy program

  • Release version: Zurich
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Entity scoping to plan a privacy program

    Entity scoping is the initial step for privacy managers in planning an organization’s privacy program. It involves identifying business applications or processes—referred to as entities within Governance, Risk, and Compliance—that handle personal data. Once identified, processing activities related to these entities are automatically created. This process helps privacy managers understand where personal data is processed across the organization, enabling effective privacy program management.

    Show full answer Show less

    Key Features

    • Entity Identification: Entities such as business processes, applications, vendors, or services that process personal data are maintained in the Configuration Management Database (CMDB), managed by respective business owners.
    • Discovery Methods: Privacy managers can identify entities processing personal data using two main methods:
      • Filtering by Personal Information Usage: Entities linked with personal information (PI) via information objects can be discovered using enhanced entity filter capabilities within the entity scoping functionality.
      • Sending Initial Privacy Assessments: When entities are not mapped to information objects, privacy screening assessments can be sent to entity owners. Based on their responses, processing activities are created automatically.
    • Privacy Program Examples: Programs can focus on identifying business processes and vendors handling customer personal data or business applications processing employee personal data.
    • Entity Type Creation: Privacy managers can create custom entity types (e.g., business processes handling customer data) to facilitate targeted assessments and scoping.

    Key Outcomes

    • Efficiently identify and scope entities that process personal data within the organization’s CMDB.
    • Automatically generate processing activities based on entity data or assessment responses, streamlining privacy program planning.
    • Focus privacy efforts on relevant business processes, applications, and vendors that handle personal information, ensuring compliance and risk management.
    • Enhance visibility into personal data processing activities, supporting better governance and decision-making.

    When a privacy manager plans the privacy program for an organization, the first step is to scope those business applications or processes that contain personal data. In Governance, Risk, and Compliance, these business applications or business processes are called as entities. After you identify the entities processing personal data, the processing activities are automatically created.

    A privacy manager, with the role sn_privacy_manager, plans various privacy programs. Some examples of the privacy programs are:
    • Identifying all the business processes and vendors that process personal data of customers.
    • Identifying business applications that process personal data of employees.
    All the inventory related to business processes, applications, vendors, or business services is stored in the respective Configuration Management Database (CMDB) tables. The respective business owners manage this inventory.
    You can identify or discover entities that process personal data by using one of the following methods.
    • Filtering the entities either by discovering the processing activities by their usage of personal information.
    • Sending initial privacy assessments.
    Both these methods are explained in the following sections.
    Discover processing activities by their usage of personal information
    At an inventory level, when business processes, business applications, and other inventory records are mapped with information objects of type Personal information (PI), the privacy manager can discover those records that process specific PI information. For details about information objects and their role in Privacy Management, see Information objects in Privacy Management.
    The following image shows a business process with information objects associated with it. To identify such business applications or processes associated with information objects, the enhanced entity filter capability in the entity scoping functionality is used. For more information, see Scope entities to discover processing activities with personal information.
    Figure 1. Business process with associated information objects
    Business process with information objects associated with it.
    Identify potential entities and sending initial privacy assessments
    If the information objects are not mapped to the business applications or processes, you can send initial privacy assessments to all the entities and use their responses to determine if personal data is being processed. The steps to send the assessment are as follows:
    1. Create an Entity type. For example, Business processes that process customer personal information or Business applications that store employee information.
    2. Identify entities using Entity Type you created.
    3. Select the relevant entities and send privacy screening assessments to the respective entity owners.
    4. Based on the responses, processing activities are created automatically when relevant questions are answered.
    Figure 2. Sending privacy assessments to entities
    Send privacy assessments to entities to determine personal data.
    After the entities are scoped, then, in the applications, only those entities appear that contain personal information.