What is the Processes Report?

The Processes Report analyses the Process Mapping Workflows and presents the information as a matrix of Data Privacy Principles and whether these principles have been met or unmet. 


In short, it helps to identify risks in Processes which deal with personal data, pinpointing which processes need attention, as well as which data privacy principles have not been met.



Horizontal view - Processes across each Data Privacy principle

In general, if one looks horizontally across the Processes Report, one can see whether every Process within one's purview has met the requirements of the Data Privacy principle (e.g. Lawfulness - Consent). 

In the case of the 'customer acquisition' process in the example below, the principle of 'Lawfulness - Consent' has not been met.




Vertical view - Data Privacy principles for each Process

In general, if one looks vertically down each column in the Processes Report, one can see whether all the Data Privacy principles have been fulfilled for each Process within one's purview. 


'Traffic Lights' and reviewing or updating the Data Mapping

A 'red' light means the principle has been documented as not having been met. 

A 'green' light means the principle has been documented as not having been met.

A 'grey' light means the principle has been documented as being 'Not Applicable'. 


In order to either review or update the record, click the 'traffic light' in question. 

You be be brought to the relevant page in the Data Mapping workflow. 


Here, you can:

  • check for supporting evidence (for example in the Comments, Links and/or Files)  
  • review and update the data or evidence 


How to use the Process Report in relation to Identifying Risks and Identifying and Implementing Controls

After the Personal Data Inventory is identified for a particular company,

  • 'Recommended Actions for Inventory Risks' will  any inventory risks 
  • Droplists in the Process Mapping will draw on the company's customised Data Inventory


After the Process Mapping has been done,

  • The Process Risks report will highlight any unmet Data Privacy Principles, and gaps for every process 
  • Droplists in the Process Mapping will draw on the company's customised Data Inventory


From understanding the risks involved, the DPO or the Data Privacy team can begin to identify the general risks and controls required, that can be communicated and managed via specific Policies, e.g. Data Protection Policy. The DPO or Data Privacy team should 

  • Identify the Organisational and Technical measures which may include the policies needed (Manage Programme --> Policies You Need)
  • Create the policies, and document the final versions in the Document Library (Manage Programme --> Document Library)




In Risk Management, risks relating to General Controls and Process Controls can be identified, evaluated, and followed up with the Task Tracker.