Important notice
The Classic Experience will be sunset on
Aug. 1.
If you have questions, contact your Customer Success and Implementation Manager,
Account Manager, or
support@trustarc.com.
System records represent applications, databases, or other technological systems and processes that handle data for a specific business purpose — for example, CRM software. They are a core component of TrustArc Data Inventory, capturing what data is processed, who has access, and what controls are in place.
This article explains how to create and configure a system record, including completing the Details, Subjects & Recipients, Data & Controls, Risk & Assessments, and Contacts tabs, as well as using the top navigation features available throughout the record.
What you can do
✓Create and configure a system record in Data Inventory
✓Upload a logo, view activity logs, and manage tags from anywhere in the record
✓Add data subjects, recipients, data elements, and security controls
✓Review risk scores and start assessments for Data Processing, Data Transfer, and AI Risk
✓Add internal and external contacts to the record
Prerequisites
✓Active TrustArc account with Data Inventory access
✓Primary company, company affiliate, and third-party records must be set up before creating system records
✓Access to Assessment Manager is required to create assessments
Top Navigation Features
The Upload Logo (1), Record Link (2), Activity Log (3), and Tags (4) features are centralized within the top navigation of the system record. This allows you to use these features at any step during record creation.
Upload Logo
Click Upload Logo to upload the system record's logo. Once uploaded, right-click the logo to replace or delete it.
Activity Log
Click the Activity Log icon to open a panel on the right side of the page showing the record's activity logs.
Tags
Click the Tags link to open a panel on the right side of the page showing tags and tag groups associated with the record. From this panel, you can also create and save new tags.
Creating a System Record
To set up a system record, follow these steps:
1
From the left side of the page, hover over the
Data Mapping & Risk Manager
icon, and then select
Data Inventory.
📋 Note: The
All Records tab is selected by default.
2
Click to open the
System Records
tab.
3
From the top-right corner of the page, click
Add New, and
then select System Record.
The Owned By
field represents the company that owns the system
— for example, TrustArc owns the Data Inventory Hub.
If the owning entity or its parent already has data
subjects, you can add them to the system or skip
and add them manually later.
After you enter the website URL of the company or
organization that owns the system, the logo for that
organization is automatically generated in the
Upload Logo
field.
5
Click the
Subjects & Recipients
tab, and then complete the following:
•Select
the number of data subjects whose data is processed
by the system.
•Click
Add Data Subject
to add data subjects.
•Add
data recipients who have access to the data processed
by the system.
6
Click the
Data & Controls
tab, and then complete the following:
•Select
the data elements processed or stored by the system.
Specify a retention period either collectively for
all data elements, or individually per element. To
set a per-element period, click the
Edit icon
to its right and enter the value.
•Select
the processing purposes for the system record.
•Specify
whether artificial intelligence is used for data
processing in the record.
•Select
the security controls for the system record.
7
Click the
Risk & Assessments
tab, review the Data Processing Risk, Data Transfer Risk,
and AI Risk scores for this system record, and complete
the recommended assessments.
Charts at the bottom of this tab show how many assessments
are in Open,
In Progress,
In Review, and
Approved states.
📋 Note: By
default, only 10 assessment records are displayed. Use
the
Search Assessment Name
field to locate records not shown on the first page.
All table columns are sortable. You must have access
to Assessment Manager to create an assessment. When
Create Assessment
is clicked, the Create Assessment page opens in a new
browser tab.
Risk & Assessments
Reviewing the Inherent Risk Score
To review the inherent risk score of the system record, go to the Data Processing Risk subtab. Under the Step 1: Review Inherent Risk Score column, click Review Score.
The Review Inherent Risk Score modal appears. Complete the following and then click Save Changes.
•Review the Risk Factors
•Define the Inherent Risk. When updating, confirm whether the "Suggested" Inherent Risk Score is accurate.
•Explain Your Risk Score Selection
Starting a Residual Risk Assessment
After evaluating inherent risk, start an impact assessment to evaluate control effectiveness and calculate residual risk.
To start an assessment:
1
Under the
Step 2: Complete Risk Assessment
column, click
Start Assessment.
A Start Assessment
modal appears.
2
Select an assessment template, and then click
Start Assessment.
📋 Notes
Assessment template selection should be based on
your company's risk tolerance or policies. Based
on the country laws triggered, where applicable:
•Select
Mini PIA Controls Assessment
if no (zero) risk factors are
triggered.
•Select
PIA Controls Assessment
if one risk factor is triggered.
•Select
DPIA Controls Assessment
if two or more risk factors
are triggered.
Risk factors are determined by the data elements,
processing purposes, individual types, number of
individual records, or data subject volume selected
in the record. Multiple selections under a single
risk factor count as one, except in the case of processing
purposes.
If an assessment has already been created for the
system record, the
Change Assessment
and View Assessment
buttons become available.
3
The system redirects you to the Assessment Manager setup
page. From the
Edit Assessment
page, update the following sections as needed:
•Assessment
Details
•Managers
& Respondents
•Users
•Advanced
Settings
For more information, see the
Creating an Assessment
section of the Assessment Manager User Guide.
4
Review and publish the assessment.
Downloading the Residual Risk Assessment Report
📋 Note: You can only
download a report if the assessment is in
In Review or
Approved state.
To download the report, click Download Risk Report under the Step 3: Review Residual Risk Score & Download Report column. The report downloads as a .pdf file.
Reviewing the Data Transfer Risk Score
To review the data transfer risk score, go to the Data Transfer Risk subtab. Under the Step 1: Review Data Transfer Risk Score column, click Review Score.
The View Countries modal appears. View the data transfer risk score for each country, and then click Done.
Starting a Data Transfer Risk Assessment
The Data Transfer Residual Risk Score is calculated after a System Data Transfer Risk Assessment is completed. This assessment gives you insight into your Data Transfer Risk at both the record and organization levels.
To start a data transfer risk assessment:
1
Under the
Step 2: Complete Risk Assessment
column, click
Start Assessment.
A Start Assessment
modal appears.
2
Select an assessment template, and then click
Start Assessment.
📋 Note: If
an assessment has already been created for the system
record, the
Change Assessment
and View Assessment
buttons become available.
3
The system redirects you to the Assessment Manager setup
page. From the
Edit Assessment
page, update the following sections as needed:
•Assessment
Details
•Managers
& Respondents
•Users
•Advanced
Settings
For more information, see the
Creating an Assessment
section of the Assessment Manager User Guide.
4
Review and publish the assessment.
Downloading the Data Transfer Risk Assessment Report
📋 Note: You can only
download a report if the assessment is in
In Review or
Approved state.
To download the report, click Download Risk Report under the Step 3: Review Data Transfer Residual Risk Score & Download Report column. The report downloads as a .pdf file.
Reviewing the AI Risk Score
To review the AI Risk score, go to the AI Risk subtab. Under the Step 1: Review AI Risk Score column, click Review Score.
The Review AI Risk Score modal appears. Complete the following and then click Save Changes.
•Review the Risk Factors
•Define the Inherent Risk. When updating, confirm whether the "Suggested" AI Risk Score is accurate.
•Explain Your Risk Score Selection
Completing the AI Risk Assessment
The AI Risk Score is calculated after a System AI Risk Assessment is completed. This assessment gives you clear insight into your AI Risk at both the record and organization levels.
To start the AI risk assessment:
1
Under the
Step 2: Complete AI Risk Assessment
column, click
Start Assessment.
A Start Assessment
modal appears.
2
Select an assessment template, and then click
Start Assessment.
📋 Note: If
an AI Risk assessment has already been created for the
system record, the
Change Assessment
and View Assessment
buttons become available.
3
The system redirects you to the Assessment Manager setup
page. From the
Edit Assessment
page, update the following sections as needed:
•Assessment
Details
•Managers
& Respondents
•Users
•Advanced
Settings
For more information, see the
Creating an Assessment
section of the Assessment Manager User Guide.
4
Review and publish the assessment.
Downloading the AI Risk Assessment Report
📋 Note: You can only
download a report if the assessment is in
In Review or
Approved state.
To download the report, click Download Risk Report under the Step 3: Review Residual AI Risk Score & Download Report column. The report downloads as a .pdf file.
Contacts
8
Click the Contacts
tab, and then add the record's external and internal
contacts.
Click the Edit
or Delete icon
to edit or delete an existing contact. Use the Search
field to locate a contact not shown on the first page.
By default, only 10 records are displayed.