Privacy and Awareness
Privacy and Awareness support two governance needs: privacy program execution and user awareness. Some tenants may use both; others may enable only one area.
1. Background and Business Purpose
Privacy records explain how personal data is processed, protected, transferred, and handled when data subjects make requests. Awareness records prove that users receive required training, surveys, and acknowledgements.
Main outcomes:
- maintain processing activity records
- manage DSARs and privacy impact assessments
- track consent, transfers, and data flows
- create and assign training courses
- define required training by role
- monitor user completion and survey results
2. Privacy Records
| Record | Purpose |
|---|---|
| Processing Activity | Documents personal-data processing purpose, owner, systems, data categories, and legal/business context. |
| DSAR | Tracks data subject access or privacy rights requests. |
| Privacy Impact Assessment | Reviews privacy risk and controls for processing or projects. |
| Consent Record | Tracks consent basis and status where consent is used. |
| Cross-Border Transfer | Documents data movement between jurisdictions or external processors. |
| Data Flow Map | Shows how data moves between systems, owners, vendors, and locations. |
3. Privacy Operating Flow
- Open Privacy.
- Create or update the relevant privacy record.
- Assign owner and department.
- Link related asset, third party, policy, risk, or evidence.
- Complete required fields such as purpose, data categories, retention, transfer, and control context.
- Route through workflow when review or approval is required.
- Create issues or risks for gaps.
- Review records periodically.
4. DSAR Flow
- Create DSAR record.
- Enter requester, request type, received date, due date, and scope.
- Assign owner.
- Verify identity and request validity where required.
- Coordinate search, review, and response.
- Record response date and evidence.
- Close the request.
DSAR statuses:
| Status | Meaning |
|---|---|
| New | Request received. |
| Validating | Identity or request validity is being confirmed. |
| In Progress | Response work is underway. |
| Pending Approval | Response is awaiting review. |
| Completed | Response sent and documented. |
| Rejected / Cancelled | Request not processed with rationale. |
5. Privacy Impact Assessment Flow
- Create PIA.
- Describe processing/project and owner.
- Link assets, third parties, data flows, and policies.
- Identify privacy risks and controls.
- Record recommendations and required actions.
- Submit for review if workflow is enabled.
- Close when actions are complete or accepted.
6. Awareness Records
| Record | Purpose |
|---|---|
| Training Course | Training content, quiz, file, or lesson record. |
| Training Campaign | Assignment of training to users or groups. |
| Role Requirement | Defines required courses for a role or job position. |
| My Training | User-facing list of assigned training. |
| Survey | Questionnaire used to measure awareness, feedback, or control understanding. |
7. Awareness Operating Flow
- Open Awareness.
- Create training course with title, description, content, and completion rules.
- Publish course when ready.
- Create role requirements or training campaign.
- Assign users, roles, or departments.
- Monitor completion and overdue users.
- Review quiz/survey results.
- Use reports for management follow-up.
Training statuses:
| Status | Meaning |
|---|---|
| Draft | Course is being prepared. |
| Published | Course can be assigned. |
| Assigned | User has training to complete. |
| In Progress | User started the course. |
| Completed | User completed required activity. |
| Overdue | Due date passed without completion. |
8. Roles and Permissions
| Role | Typical Responsibility |
|---|---|
| Privacy owner | Owns privacy records, DSARs, PIA, and transfers. |
| Data/process owner | Provides processing context and evidence. |
| Training coordinator | Creates courses, campaigns, role requirements, and surveys. |
| Manager | Monitors assigned user completion. |
| End user | Completes assigned training, surveys, or acknowledgements. |
9. Cross-Module Behavior
| Related Module | Overlap |
|---|---|
| Assets and Third Parties | Privacy records should link systems, data assets, processors, and transfer parties. |
| Risk Management | Privacy risks can be created from PIA gaps, incidents, or processing weaknesses. |
| Operations | DSAR delays, privacy gaps, and training overdue items can become issues/actions. |
| Governance | Privacy policies and acknowledgements support privacy compliance. |
| Incidents | Privacy incidents may require DSAR/context review and risk updates. |
| Reports | Completion rates, overdue training, DSAR status, and PIA progress feed reporting. |
10. Related Pages
| Related Page | Why It Matters |
|---|---|
| Third Parties and Assets | Processing activities, transfers, and privacy impact often depend on vendors, systems, and assets. |
| Risk Management | Privacy issues may create risks or change residual exposure. |
| Governance | Privacy policies, notices, exceptions, and approvals provide governance traceability. |
| Operations | DSAR tasks, incidents, corrective actions, and training follow-up require operational tracking. |
| Reports and Analytics | Privacy records, awareness completion, overdue work, and incidents feed reporting. |
| Permissions and Roles Matrix | Use this before granting access to sensitive privacy records. |
11. Before You Start, Reporting Impact, and Common Mistakes
Before using privacy and awareness records, confirm privacy owner roles, data category taxonomy, vendor and asset links, lawful basis expectations, DSAR ownership, training audiences, and recurrence rules for mandatory awareness.
Records that change reports and KPIs:
| Record or Field | Reporting Impact |
|---|---|
| Processing activity status | Drives privacy inventory completeness. |
| PIA status and risk outcome | Shows privacy assessment workload and unresolved exposure. |
| DSAR status and due date | Drives request SLA and overdue reporting. |
| Training assignment and completion | Changes awareness completion and overdue training KPIs. |
| Linked vendor, asset, or transfer | Creates privacy dependency and cross-border reporting context. |
Common mistakes:
- Recording processing activities without owner, purpose, data category, or vendor/asset context.
- Leaving DSAR due dates unmanaged.
- Treating training assignment as completion.
- Granting broad privacy access without reviewing role need.
- Not linking privacy risks or incidents to operational follow-up.
Use this module page when training privacy owners on processing records, PIA review, DSAR follow-up, and awareness completion checks. Screenshots and operating guidance should stay with the module rather than a separate screenshot menu.
12. Administrator Checklist
- Assign privacy records to accountable owners.
- Link processing activities to assets and third parties.
- Track DSAR due dates carefully.
- Create risks or issues for high-impact privacy gaps.
- Publish training only when content is ready.
- Use role requirements for recurring mandatory training.
- Monitor overdue training and surveys.
13. Screenshot
