Skip to main content

System Profiles

System Profiles allow you to document the use of a system within your organization, its inherent risk, and the Processing Activities it supports. DataGrail provides prefilled information for most third-party systems to make your data mapping efforts easy.

System Details

The System Details section offers a concise summary of key information about a system, helping you quickly understand its purpose, associated risks, and how it was added to your organization's System Inventory.

FieldDescription
RisksThis column surfaces specific risk criteria based on standard use cases of a system. This list is continuously updated to help you surface risk across your system inventory.
Last UpdatedWhen a System Profile page was last edited.
DescriptionWhen available, DataGrail will include a description of the system to help you quickly get acquainted with what processing activities are commonly associated with the system. You can override the existing text with custom descriptions that capture your organization's unique use case of that system.
SourceThe way in which this system was added into your Inventory.
ResourcesWhen available, DataGrail will include links to the system's privacy policy or subprocessor URL. The subprocessor URL is how we source "AI subprocessors," which is one of the criteria used to flag "AI Detected" risk.
NotesAny additional customer-provided context or resources relating to the system.

Contacts

The Contacts Section in the left-hand sidebar of a System Profile page allows you to define and track relevant contacts associated with a given system or your overall privacy program.

  • Data Protection Officer or Data Controller: The DPO and the Data Controller will be included in the Contacts section for each system by default. These individuals are defined within your DataGrail Settings.
  • System Contacts: System Contacts are defined at the system level and allow you to define distinct owners for different systems in your inventory.

Adding Reporting Contacts

Data Protection Officers, Representatives, or Data Controllers defined for all systems in your inventory are managed in the Settings page:

  1. Navigate to Settings in the DataGrail sidebar.
  2. Select the Reporting Contacts section.
  3. Use Add Contact to add default contacts for your systems.
Defining a Data Protection Officer

If you do not have a designated DPO, we recommend adding the contact details of your Privacy Team.

System Overview

The System Overview is your central hub to document how a system is used within your organization. DataGrail Instant Risk Categories pre-populate system metadata based on the most common use cases of that system. This helps you understand which systems are more likely to have privacy risk based on the personal data they process and associated use cases.

The System Overview Section can be populated from three places:

  1. DataGrail's Pre-filled Metadata: DataGrail's Intelligence Library has pre-populated processing risk information based on common use cases of a known system.
  2. Processing Activity Reports: Processing Activity Reports allow you to document how a system is used for a given processing activity within your organization and its inherent risk. While Processing Activity Reports exist separately, the data populated within them is aggregated at the system-level System Overview section.
  3. Editing System Data: Editing the System Data directly allows you to document how a system is used at the system-level, without needing to create Processing Activity Reports.

Editing System Data

The process for documenting a system at the Processing Activity or the general System Overview level is as follows:

  1. Select Edit System Data in the top right of the page.
  2. Populate the relevant Categories.
  3. (Optional) Add stakeholders in other parts of the organization by selecting Add New Contributor. They will instantly receive an email notification with a link to an editable version of the report.
    • When a contributor submits changes to the report, the report status will change to Pending Review.
    • Select Resend Invite to send a new email link to the recipient, as invite links expire after 24 hours.
    • Select Remove Contributor to mark the contributor as "removed".
  4. Select Mark as Reviewed to indicate the report is complete. This action can be taken before all Contributors have reviewed the report.

Once a report has been reviewed, a copy of it will be saved and accessible in the Version History drop-down, where all previously reviewed reports are accessible.

The Details section of the report will also capture a timestamp of when it was marked as Reviewed and by whom.

Reviewed Reports

Reviewed reports are no longer editable. A new version must be created to make new changes.

System Data Report Status

System Data Reports use the following status to indicate where the report is in your review cycle:

  • Not Started: When a report has not been updated by the customer. This may include pre-filled system data from the DataGrail Intelligence Library
  • In Progress: When changes have been made in the report, the status will be changed to In Progress.
  • Pending Review: When a contributor has submitted updates to the report, the status will be set to Pending Review (see instructions on adding contributors below).
  • Reviewed: When someone has taken the Mark as Reviewed action, the report status will be changed to Reviewed.

Categories

The following categories are available within the System Overview and Processing Activity reports to document the use of particular system in your organization.

Personal Data Categories

Personal Data, also called personal information or PII, is information relating to an identified or identifiable natural person.

If a system has any of the below categories, we will also show that the system contains Sensitive Personal Information within the report:

Sensitive Personal Information (SPI) Categories
  • Political Affiliations
  • Religious Beliefs
  • Philosophical Beliefs
  • Race or Ethnicity
  • Sexual Orientation
  • Health Data
  • Biometric Data
  • Criminal History
  • Credit or Financial Data
  • Trade Union and Membership Information
  • Personal Identification (ID) Numbers (License, Social Security, State ID Cards, Passports)

Data Subjects

A Data Subject is a natural person who can be identified, directly or indirectly, using various online and offline identifiers, characteristics or inferences. Specific legal definitions vary.

Available Data Subject Options

The following Data Subject options are available within DataGrail:

Data Subject TypeDescription
CustomersIndividuals with whom you have a business transaction or user relationship in a Business-to-Business or a Business-to-Consumer context.
ChildrenIndividuals under the age of 16.
EmployeesCurrent or prospective employees, contractors or other hired representatives.
Job ApplicantsA prospective employee undergoing a recruitment process.
PatientsA consumer of health, fitness, medical and prescription services.
ProspectsProspective business or individual customers.
VendorsService providers, suppliers and business partners.
Website VisitorsUnique individuals visiting a page or multiple pages on a website.
OtherCustom categories directed by DataGrail Customers. For example, a "California household".

Processing Purposes

Processing refers to any operation that is performed on personal data, such as collection, recording, storage, alteration, use, transmission, or erasure.

If data is collected for one reason but is used for another, this can raise privacy concerns. This is one of the reasons for regularly reviewing your privacy notices against your actual data uses. For example, if you intend to use collected data for order fulfilment only, but someone within your organization decides to sell this data to a marketing data company, order fulfilment is the primary purpose and data selling is the secondary purpose.

Available Processing Purposes

The following Processing Purposes are available within DataGrail:

Processing PurposeDescription
Access Provisioning & ManagementUser account provisioning, management and de-provisioning.
Automated Decision MakingMachine-based decisions concerning individuals.
Backup & ArchivingData stored to ensure its availability for recovery.
Benchmarking & ReportingMeasurements comparing the methods, performance and positions of an organization against internal or external standards.
Consent & Preference ManagementCollecting and managing permissions and choices provided by individuals.
Content & Knowledge ManagementCreating, curating and sharing information such as wikis, learning experiences, news, media, or social posts.
CorrespondenceCommunicating directly with individuals, including to respond to their inquiries and complaints.
Customer Relationship ManagementMaintaining business relationships and databases.
Customer SupportProviding technical, administrative, operational or other kinds of support.
Data Storage & AccessStoring and accessing information on a storage system, browser or device.
Direct MarketingDelivering audience-based or personalized marketing that may be based on an individual's demographics, preferences, interests or other characteristics.
PersonalizationImproving or tailoring an individual's user experience or the content they receive or interact with.
Event Registration & ManagementHosting and administering in-person or virtual events.
Finance & AccountingRecord keeping related to financing, invoicing, payment collections and remittance, and related activities.
Fraud PreventionDetecting and preventing fraudulent activity.
Human Resource AdministrationMaintaining employee relationships, data, benefits and HR information systems.
Job Application ManagementTalent acquisition and hiring process management.
Law Enforcement & National SecurityResponding to lawful requests from law enforcement and other government agencies.
Legal Obligations & ComplianceFulfilling legal obligations and protecting legal rights, terms, positions and claims.
Loyalty Program AdministrationAdministering program participation, rewards and redemptions.
Measurement & AnalyticsMeasuring the performance and effectiveness of content, products, service and promotions.
Payment ProcessingSending, receiving and processing payments.
ProfilingAggregating and analyzing an individual's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
ResearchArchiving or analytics for scientific, historic or statistical purposes.
Sales & Demand GenerationBusiness lead and demand generation, outreach and related record keeping.
Security ManagementEnsuring the security, confidentiality and availability of system and data.
Selling & Monetizing DataTransferring or exchanging data for monetary or other valuable considerations.
Service Delivery & FulfillmentDelivering products or services in accordance with contractual agreements and terms of service.
Service Management & ImprovementManaging or improving the performance and value of systems, products or services.
Targeted AdvertisingServing advertising tailored to an individual's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
TrackingMonitoring the behaviors, interactions and movements of an individual.
OtherCustom purposes directed by DataGrail Customers.

The legal relationship between your company and the given system.

Modern privacy and data protection laws require that you identify valid grounds for processing personal data. To be lawful, processing must meet the criteria (usually itemized) set out under the law. These are considered legal bases or lawful grounds for processing and will depend on your specific purposes and the context of processing. We recommend considering why you want to process the data, and apply which legal basis best fits the circumstances.

European Union & UK

The lawful grounds for processing personal data as itemized under the EU GDPR and UK GDPR.

Legal BasisDescription
ContractWhere the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal ObligationWhere the processing is necessary to comply with the law, including a lawful request from a court or another public authority (not including contractual obligations).
Vital InterestsWhere the processing is necessary to ensure the life or safety of the individual.
Public InterestWhere the processing is necessary to fulfill an official task or is for the public good.
Legitimate InterestsWhere the processing is necessary to fulfill reasonable business / commercial interests and these interests are not overridden by the privacy rights and freedoms. (This cannot apply if you are a public authority processing data to perform your official tasks.)
ConsentWhere the individual has freely given their specific, informed and unambiguous consent for a specific purpose or closely related set of purposes.
US & California

The lawful grounds for processing personal data as itemized under the EU GDPR and UK GDPR.

Legal BasisDescription
Business PurposeWhere the processing of personal information is for one or more of the business’s or a service provider’s reasonable operational purposes, or other notified purposes.
Auditing Interactions with ConsumersAuditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
SecurityHelping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes.
Debugging/RepairDebugging to identify and repair errors that impair existing intended functionality.
Certain Short-term UsesShort-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business.
Performing ServicesPerforming services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business
Internal Research for Tech DevelopmentUndertaking internal research for technological development and demonstration.
Quality and Safety Maintenance and VerificationUndertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
Commercial PurposeWhere the processing of personal data is for a commercial or economic interest, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.
ConsentWhere the individual has freely given their specific, informed and unambiguous consent for a specific purpose or closely related set of purposes.Consent means any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer, or the consumer’s legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose.

Processing Countries

The locations where personal data is being processed or stored.

Personal Data Origins

Personal data origins refers to how the personal data was originally collected for the system named in the report.

Data Distribution

Data distribution refers to personal data transferred from the system name in the report to other systems in your inventory.

Where consent is the legal basis the methods by which valid consent is obtained. Consent refers to any freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of their personal data.

Protective Measures

Protective measures refer to any steps taken to safeguard data.

Assessments

Risk Assessments associated with a given system will be linked in the Assessments tab in addition to being available within the Risk Assessments section of the DataGrail app.

Example Assessments Page

 

Need help?
If you have any questions, please reach out to your dedicated CSM or contact us at support@datagrail.io.

Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.