Data Governance Use Case Design

The Applications application stores all software applications used by the organization to perform business operations. You can view how an application is used, the people that use it, and the devices on which the application is installed. You can also track the business impact, customer impact, and licensing details, and associate it with other aspects of the enterprise infrastructure.

Note: The Applications application is included in the Enterprise Catalog package.

For the Data Governance use case, the Applications application allows you to connect business processes and processing activities down to the device level.

The Article 30 Checklist questionnaire is a configurable workflow that allows you to assess a processing activity against some of the key requirements of Article 30 of the European Union General Data Protection Regulation (GDPR) on a recurring basis.

The Business Processes application captures the base data for a given process. A process may be assigned to a particular business unit or shared across multiple business units. A business process may also be referenced to one or multiple products or services. The application enables you to track the business processes personnel, criticality, recovery time objective (RTO) and ITIL category, and associate it with other aspects of the enterprise infrastructure.

Note: The Business Processes application is included in the Enterprise Catalog package.

For the Data Governance use case, the Business Processes application allows you to inventory all in-scope business processes for a processing activity.

The Contacts application serves as a central repository for contact information, is utilized across multiple areas of Archer, and contains information that is often leveraged by other use cases. Updates to a profile record within this application automatically propagate in any records with displayed contact information.

Note: The Contacts application is included in the Enterprise Catalog package.

For the Data Governance use case, the Contacts application allows you to document the relationships between individuals and their associated business processes, information assets, and processing activities and to document your data custodians, data controllers, Data Protection Officers (DPOs), and data processors.

The Control Procedures application serves as a central repository for instances of control procedures, baselines and activities that are mapped to corporate Primary Controls, establishing the foundation for enterprise-wide risk monitoring and compliance measurement. Control Procedures are categorized into two types: Technical and Process. Based on the selected type, different pieces of information are captured and different testing options are made available.

Note: The Control Procedures application is included in the Enterprise Catalog package.

For the Data Governance use case, the Control Procedures application allows you to identify all of your controls procedures that act as safeguards against the risk of a processing activity. You can also use these control procedures as part of any compliance or audit program to test the effectiveness of your organization's privacy program.

The Devices application serves as a central repository for knowledge, such as criticality, about IT devices and which applications they support. You can manage devices to ensure that they are protected according to management expectations. The application is also associated with other aspects of the enterprise infrastructure.

Note: The Devices application is included in the Enterprise Catalog package.

For the Data Governance use case, the Devices application allows you to inventory all devices that are linked to an application or information asset that is in scope for a processing activity.

The Facilities application maintains a listing of all organizational facilities, such as data centers and branches. You can document and review all information associated with a specific facility, such as contact personnel, location information, and technologies associated with the location.

Note: The Facilities application is included in the Enterprise Catalog package.

For the Data Governance use case, the Facilities application allows you to view all facilities that are linked to a processing activity or a business processes that is in scope for a processing activity.

The Information Assets application allows you to manage a repository of information assets, such as credit card data, financial forecasts, employee Social Security numbers, and trademarks. Use this application to perform online assessments to determine information classification ratings and required retention periods. Link information assets to the business processes they support, the applications where they are managed, and the facilities where they are housed.

Note: The Information Assets application is included in the Enterprise Catalog package.

For the Data Governance use case, the Information Assets application allows you to inventory all information assets that are linked to a processing activity or a business process or that is in scope for a processing activity. Information about the information asset's ownership, data collected, and other elements helps provide you with a complete mapping of data element to processing activity to device.

The Notice and Consent Library application acts as a repository of your organization's privacy notices and consent statements related to collecting personally identifiable information (PII). This application allows you to track the most recent copy of a statement, including its effective date, the actual text of the statement, and an attachment of the statement. Additionally, you can map these statements to the applicable applications, processing activities, and information assets to which they relate.

The Question Library application stores assessment questions that you can reference and copy into a questionnaire. Each question is stored as an individual record, and each record contains information including the question and answer text as well as information necessary to display and score the question. Depending on the solution that you have licensed, the Question Library contains a large set of pre-built questions by default. In addition, you can add new questions and store them in the Question Library.

For the Data Governance use case, you can use the questions in the library as needed when creating an Article 30 Checklist assessment to configure the workflow to address your organization's requirements.

A data controller is the entity that determines the purposes, conditions and means of the processing of personal data. If you have multiple data controllers, the Privacy Roles and Responsibilities application allows you to define their individual responsibilities so that you can demonstrate that information to a regulator. You can document the role name and responsibilities, link to the applicable business unit, provide links to any codes of conduct for the role, and assign users to the roles.

The Processing Activities application maintains an inventory of your organization’s processing activities with respect to collecting or processing personally identifiable information (PII). The application allows you to capture what data is processed, why it is processed, how it is processed, the path that the data flows through, and who controls the data. Processing Activities are composite views that should be updated on a periodic basis to ensure due diligence is performed in maintaining accurate processing activity records.

The user responsible for installing and maintaining the Data Governance use case. This role provides create, read, update, and delete rights to the use case.

The user responsible for ensuring data quality and data upkeep in the system. This role provides create, read, update, and delete rights to the use case.

Experts on data privacy who work independently to ensure that an entity is adhering to the policies and procedures set forth in applicable regulations. This role provides a combination of create, update, and read rights to the use case.

Individuals within your organization who are responsible for managing the data subject information under their purview and ensuring that it is processed appropriately and responsibly. This role provides a combination of create, update, and read rights to the use case.

Members of your organization's data privacy team. This role provides a combination of create, update, and read rights to the use case.

Members of your organization's legal team. This role provides a combination of create, update, and read rights to the use case.

Members of the regulatory body who need access to data in the use case. This role provides read-only access to the use case.

Displays summary information about processing activities, retention schedules, and notice and consent statements.

Only users assigned to the DPM Privacy Team, DPM: Legal Team, DPM: Admin, DPM: Data Admin, or DPM: Read Only roles can access the Data Governance dashboard.

Displays summary information about processing activities, retention schedules, and notice and consent statements, as well as processing activity analytics.

Only users assigned to the DPM: Data Protection Officers role can access the Data Protection Officer (DPO) dashboard.

Allows you to auto-scope a processing activity through its related business processes. The feed gathers information assets, facilities, applications, devices, retention schedules and privacy notices and consent statements based on selected business processes and relates them to the processing activity.