IBM OpenPages Data Privacy Management (DPM) workflows

IBM OpenPages® Data Privacy Management includes two sample workflows. You can use them as-is or modify them to meet your requirements. The sample workflows can also be used as a template and learning tools for your own workflows.

The sample workflows are enabled in fresh installations.

Privacy Impact Assessment

When a new data asset (resource) is imported into IBM® Knowledge Catalog, the Privacy Impact Assessment workflow starts automatically. The first stage is Data Asset Review, where a privacy officer (business owner) must determine whether a privacy assessment is needed or not. If the privacy officer needs more information, the officer can request more information from the data steward (primary owner) by selecting Actions > Request Additional Information. The data asset owner would then need to provide the requested information and select Actions > Submit for Data Asset Review.

If the privacy officer determines that a privacy assessment is not needed, the officer selects Actions > Privacy Assessment Not Needed. This action sets the PIA Status field on the resource to Not Needed, and then the workflow ends.

If the privacy officer determines that a privacy assessment is needed, the officer selects Actions > Privacy Assessment Needed. This action sets the PIA Status field on the resource to Needed and creates a Questionnaire Assessment, which is assigned to the data steward (primary owner) of the resource.

The privacy officer then selects a questionnaire template for the assessment, and the data steward completes the questionnaire. When the questionnaire is complete, the data steward selects Actions > Submit for Approval.

The privacy officer now reviews the privacy assessment and can either Approve PIA or Reject PIA. If rejected, the assessment is returned to the data steward for remediation. If the assessment is approved, the workflow ends.

The Workflow Editor shows the stages in the workflow: Start, Data Asset Review, Privacy Assessment Not Needed, Additional Information Required, Privacy Assessment in Progress, Privacy Assessment Awaiting Approval, and Privacy Assessment Complete. — Figure 1. Privacy Impact Assessment workflow

Data Protection Impact Assessment

After a privacy impact assessment (PIA) on a data asset is completed or if a PIA is not needed, the Data Protection Impact Assessment workflow starts automatically. When it starts, the workflow sets the DPIA Status field on the resource to Needed and creates a Questionnaire Assessment that is assigned to the privacy officer (business owner) of the resource.

At the first stage of the workflow, DPIA Started, a data steward (primary owner) has the option to override and cancel the DPIA, if it is determined that the DPIA is not needed. In this case, the data steward selects Actions > Override – DPIA not needed .

If the data steward does not override the DPIA, then the data steward completes the questionnaire assessment and selects Actions > DPIA Completed.

At the next stage of the workflow, DPIA Awaiting Approval, the privacy officer (business owner) reviews the DPIA questionnaire assessment, and has the option to reject it by selecting Actions > Reject PIA, which sends it back to the data steward for remediation, or approve it by selecting Actions > Approve PIA, which ends the workflow.

The Workflow Editor shows the stages in the workflow: Start, DPIA Started, DPIA Not Needed, DPIA Awaiting Approval, and DPIA Complete. — Figure 2. Data Protection Impact Assessment workflow