Creating a System Record

Overview

System records represent applications, databases, or other technological systems and processes that handle data for a specific business purpose — for example, CRM software. They are a core component of TrustArc Data Inventory, capturing what data is processed, who has access, and what controls are in place.

This article explains how to create and configure a system record, including completing the Details, Subjects & Recipients, Data & Controls, Risk & Assessments, and Contacts tabs, as well as using the top navigation features available throughout the record.

What you can do
Create and configure a system record in Data Inventory
Upload a logo, view activity logs, and manage tags from anywhere in the record
Add data subjects, recipients, data elements, and security controls
Review risk scores and start assessments for Data Processing, Data Transfer, and AI Risk
Add internal and external contacts to the record
Prerequisites
Active TrustArc account with Data Inventory access
Primary company, company affiliate, and third-party records must be set up before creating system records
Access to Assessment Manager is required to create assessments
Top Navigation Features

The Upload Logo (1), Record Link (2), Activity Log (3), and Tags (4) features are centralized within the top navigation of the system record. This allows you to use these features at any step during record creation.

Top navigation bar showing Upload Logo, Record Link, Activity Log, and Tags controls
Upload Logo

Click Upload Logo to upload the system record's logo. Once uploaded, right-click the logo to replace or delete it.

Upload Logo field on the system record
Activity Log

Click the Activity Log icon to open a panel on the right side of the page showing the record's activity logs.

Activity log panel open on the right side of the page
Tags

Click the Tags link to open a panel on the right side of the page showing tags and tag groups associated with the record. From this panel, you can also create and save new tags.

Creating a System Record

To set up a system record, follow these steps:

1

From the left side of the page, hover over the Data Mapping & Risk Manager icon, and then select Data Inventory.

Navigating to Data Inventory from the left nav
📋 Note: The All Records tab is selected by default.
2

Click to open the System Records tab.

System Records tab selected in Data Inventory
3

From the top-right corner of the page, click Add New, and then select System Record.

Add New menu with System Record option highlighted
📋 Note: You can also create a system record using AI. For more information, see Creating a System Record using AI.
4

Complete the Details tab. At minimum, you must enter the system name, owner of the system, and the organization entities that use the system.

Details tab of the system record

You can use the AI Autofill Search feature to complete the Details tab. For more information, see Completing the Details Tab Using the AI Autofill Search Feature.

📋 Notes

The Owned By field represents the company that owns the system — for example, TrustArc owns the Data Inventory Hub. If the owning entity or its parent already has data subjects, you can add them to the system or skip and add them manually later.

Data subjects prompt when an owning entity already has subjects configured

After you enter the website URL of the company or organization that owns the system, the logo for that organization is automatically generated in the Upload Logo field.

Upload Logo field auto-populated after entering the owner URL
5

Click the Subjects & Recipients tab, and then complete the following:

Subjects and Recipients tab
Select the number of data subjects whose data is processed by the system.
Click Add Data Subject to add data subjects.
Add data recipients who have access to the data processed by the system.
6

Click the Data & Controls tab, and then complete the following:

Data and Controls tab
Select the data elements processed or stored by the system. Specify a retention period either collectively for all data elements, or individually per element. To set a per-element period, click the Edit icon to its right and enter the value.
Edit icon for setting individual data element retention periods
Select the processing purposes for the system record.
Specify whether artificial intelligence is used for data processing in the record.
Select the security controls for the system record.
7

Click the Risk & Assessments tab, review the Data Processing Risk, Data Transfer Risk, and AI Risk scores for this system record, and complete the recommended assessments.

Risk and Assessments tab

Charts at the bottom of this tab show how many assessments are in Open, In Progress, In Review, and Approved states.

Assessment status charts
📋 Note: By default, only 10 assessment records are displayed. Use the Search Assessment Name field to locate records not shown on the first page. All table columns are sortable. You must have access to Assessment Manager to create an assessment. When Create Assessment is clicked, the Create Assessment page opens in a new browser tab.
Risk & Assessments
Reviewing the Inherent Risk Score

To review the inherent risk score of the system record, go to the Data Processing Risk subtab. Under the Step 1: Review Inherent Risk Score column, click Review Score.

Review Score button on the Data Processing Risk subtab

The Review Inherent Risk Score modal appears. Complete the following and then click Save Changes.

Review Inherent Risk Score modal
Review the Risk Factors
Define the Inherent Risk. When updating, confirm whether the "Suggested" Inherent Risk Score is accurate.
Explain Your Risk Score Selection
Starting a Residual Risk Assessment

After evaluating inherent risk, start an impact assessment to evaluate control effectiveness and calculate residual risk.

To start an assessment:

1

Under the Step 2: Complete Risk Assessment column, click Start Assessment.

Start Assessment button

A Start Assessment modal appears.

2

Select an assessment template, and then click Start Assessment.

Start Assessment modal showing template selection
📋 Notes

Assessment template selection should be based on your company's risk tolerance or policies. Based on the country laws triggered, where applicable:

Select Mini PIA Controls Assessment if no (zero) risk factors are triggered.
Select PIA Controls Assessment if one risk factor is triggered.
Select DPIA Controls Assessment if two or more risk factors are triggered.

Risk factors are determined by the data elements, processing purposes, individual types, number of individual records, or data subject volume selected in the record. Multiple selections under a single risk factor count as one, except in the case of processing purposes.

If an assessment has already been created for the system record, the Change Assessment and View Assessment buttons become available.

Change Assessment and View Assessment buttons
3

The system redirects you to the Assessment Manager setup page. From the Edit Assessment page, update the following sections as needed:

Assessment Details
Managers & Respondents
Users
Advanced Settings

For more information, see the Creating an Assessment section of the Assessment Manager User Guide.

4
Review and publish the assessment.
Downloading the Residual Risk Assessment Report
📋 Note: You can only download a report if the assessment is in In Review or Approved state.

To download the report, click Download Risk Report under the Step 3: Review Residual Risk Score & Download Report column. The report downloads as a .pdf file.

Download Risk Report button
Reviewing the Data Transfer Risk Score

To review the data transfer risk score, go to the Data Transfer Risk subtab. Under the Step 1: Review Data Transfer Risk Score column, click Review Score.

Review Score button on the Data Transfer Risk subtab

The View Countries modal appears. View the data transfer risk score for each country, and then click Done.

View Countries modal
Starting a Data Transfer Risk Assessment

The Data Transfer Residual Risk Score is calculated after a System Data Transfer Risk Assessment is completed. This assessment gives you insight into your Data Transfer Risk at both the record and organization levels.

To start a data transfer risk assessment:

1

Under the Step 2: Complete Risk Assessment column, click Start Assessment.

Start Assessment button on Data Transfer Risk

A Start Assessment modal appears.

2

Select an assessment template, and then click Start Assessment.

Start Assessment modal for Data Transfer Risk
📋 Note: If an assessment has already been created for the system record, the Change Assessment and View Assessment buttons become available.
Change Assessment and View Assessment buttons
3

The system redirects you to the Assessment Manager setup page. From the Edit Assessment page, update the following sections as needed:

Assessment Details
Managers & Respondents
Users
Advanced Settings

For more information, see the Creating an Assessment section of the Assessment Manager User Guide.

4
Review and publish the assessment.
Downloading the Data Transfer Risk Assessment Report
📋 Note: You can only download a report if the assessment is in In Review or Approved state.

To download the report, click Download Risk Report under the Step 3: Review Data Transfer Residual Risk Score & Download Report column. The report downloads as a .pdf file.

Download Risk Report button on Data Transfer Step 3
Reviewing the AI Risk Score

To review the AI Risk score, go to the AI Risk subtab. Under the Step 1: Review AI Risk Score column, click Review Score.

Review Score button on the AI Risk subtab

The Review AI Risk Score modal appears. Complete the following and then click Save Changes.

Review AI Risk Score modal
Review the Risk Factors
Define the Inherent Risk. When updating, confirm whether the "Suggested" AI Risk Score is accurate.
Explain Your Risk Score Selection
Completing the AI Risk Assessment

The AI Risk Score is calculated after a System AI Risk Assessment is completed. This assessment gives you clear insight into your AI Risk at both the record and organization levels.

To start the AI risk assessment:

1

Under the Step 2: Complete AI Risk Assessment column, click Start Assessment.

Start Assessment button on AI Risk

A Start Assessment modal appears.

2

Select an assessment template, and then click Start Assessment.

Start Assessment modal for AI Risk
📋 Note: If an AI Risk assessment has already been created for the system record, the Change Assessment and View Assessment buttons become available.
Change Assessment and View Assessment buttons for AI Risk
3

The system redirects you to the Assessment Manager setup page. From the Edit Assessment page, update the following sections as needed:

Assessment Details
Managers & Respondents
Users
Advanced Settings

For more information, see the Creating an Assessment section of the Assessment Manager User Guide.

4
Review and publish the assessment.
Downloading the AI Risk Assessment Report
📋 Note: You can only download a report if the assessment is in In Review or Approved state.

To download the report, click Download Risk Report under the Step 3: Review Residual AI Risk Score & Download Report column. The report downloads as a .pdf file.

Download Risk Report button on AI Risk Step 3
Contacts
8

Click the Contacts tab, and then add the record's external and internal contacts.

Contacts tab of the system record

Click the Edit or Delete icon to edit or delete an existing contact. Use the Search field to locate a contact not shown on the first page. By default, only 10 records are displayed.

Edit and Delete icons on the Contacts tab
9
Click Close once the setup is complete.
TrustArc  ·  Creating a System Record  ·  support.trustarc.com