Creating a Company Affiliate Record

Overview

Company affiliate records represent sub-organizations, affiliates, or subsidiaries of a primary company entity in TrustArc Data Inventory. Before setting up System records, you should first set up your company affiliate records to ensure the correct organizational hierarchy is in place.

This article explains how to create and configure a company affiliate record, including completing the Details and Contacts tabs, using the top navigation features (logo upload, activity log, and tags), and working with Risk & Assessments — covering inherent risk scores, residual risk assessments, data transfer risk, and AI risk.

What you can do
Create and configure a company affiliate record in Data Inventory
Upload a logo, view activity logs, and manage tags from anywhere in the record
Review and update inherent risk scores for data processing, data transfer, and AI risk
Start residual risk assessments and download risk reports
Add Legal and Privacy Team contacts to the record
Prerequisites
Active TrustArc account with Data Inventory access
Company affiliate records must be set up before System records
Access to Assessment Manager is required to create assessments
Top Navigation Features

The Upload Logo (1), Record Link (2), Activity Log (3), and Tags (4) features are centralized within the top navigation of the company affiliate record. This allows you to use these features at any step during record creation.

Top navigation bar showing Upload Logo, Record Link, Activity Log, and Tags controls
Upload Logo

Click the Upload Logo field to upload the company affiliate's logo. Once uploaded, right-click the logo to replace or delete it.

Upload Logo field on the company affiliate record
Activity Log

Click the Activity Log icon to open a panel on the right side of the page showing the record's activity logs.

Activity log panel open on the right side of the page
Tags

Click the Tags link to open a panel on the right side of the page showing tags and tag groups associated with the record. From this panel, you can also create and save new tags.

Tags panel open on the right side of the page
Creating a Company Affiliate Record

To set up a company affiliate record, follow these steps:

1

From the left side of the page, hover over the Data Mapping & Risk Manager icon, and then select Data Inventory.

Navigating to Data Inventory from the left nav
📋 Note: The All Records tab is selected by default.
2

Click to open the Company Records tab.

Company Records tab selected in Data Inventory
3

From the top-right corner of the page, click Add New, and then select Company Affiliate Record.

Add New menu with Company Affiliate Record option highlighted
4

Complete the Details tab. At minimum, you must enter the company name and the country where the company affiliate is located.

Details tab of the company affiliate record
📋 Note: You can configure the Owned By field (1) via the Organization Hierarchy application. To access it, click Configure Owned by In Organization Hierarchy.
5

Click the Risk & Assessments tab, review the Risk Scores, and complete the recommended assessments for the Business Process and System records owned by the company entity.

Risk and Assessments tab

Charts at the bottom of this tab show how many assessments are in Open, In Progress, In Review, and Approved states.

Assessment status charts at the bottom of the tab
📋 Note: By default, only 10 assessment records are displayed. Use the Search Assessment Name field to locate records not shown on the first page. All table columns are sortable. You must have access to Assessment Manager to create an assessment. When Create Assessment is clicked, the Create Assessment page opens in a new browser tab.
Risk & Assessments
Reviewing the Inherent Risk Score

To review the inherent risk score for business process and/or system records owned by the company affiliate, go to the Data Processing Risk subtab. Under the Step 1: Review Inherent Risk Score column, click Review Score, and then select either Business Process Score or System Score.

Step 1: Review Inherent Risk Score column

Depending on the record type selected, the Review System Risk or Review Business Process Risk modal appears. Select a record and update the inherent risk score.

Review Business Process Risk modal
📋 Note: When updating the inherent risk, review and confirm whether the "Suggested" Inherent Risk Score is accurate.
Starting a Residual Risk Assessment

After evaluating inherent risk, start an impact assessment to evaluate control effectiveness and calculate residual risk.

To start an assessment:

1

Under the Step 2: Complete Risk Assessment column, click Start Assessment, and then select Business Process Assessment or System Assessment depending on which record you would like to assess first.

Start Assessment button on Step 2 column

A Complete [Business Process or System] Data Processing Risk Assessment modal appears.

2

Select a business process or system record from the list, select an assessment template, and then click Start Assessment.

Complete Data Processing Risk Assessment modal
📋 Notes

Assessment template selection should be based on your company's risk tolerance or policies. Based on the country laws triggered, where applicable:

Select Mini PIA Controls Assessment if no (zero) risk factors are triggered.
Select PIA Controls Assessment if one risk factor is triggered.
Select DPIA Controls Assessment if two or more risk factors are triggered.

Risk factors are determined by the data elements, processing purposes, individual types, number of individual records, or data subject volume selected in the Business Process or System record. Multiple selections under a single risk factor count as one risk factor, except in the case of processing purposes.

If an assessment has already been created for the selected record, the Change Assessment and View Assessment buttons become available.

Change Assessment and View Assessment buttons
3

The system redirects you to the Assessment Manager setup page. From the Edit Assessment page, update the following sections as needed:

Assessment Details
Managers & Respondents
Users
Advanced Settings

For more information, see the Creating an Assessment section of the Assessment Manager User Guide.

4
Review and publish the assessment.
Downloading the Residual Risk Assessment Report
📋 Note: You can only download a report if the assessment is in In Review or Approved state.

To download the report, click Download Risk Report under the Step 3: Review Residual Risk Score & Download Report column, and then select Business Process Risk Report or System Risk Report.

Download Risk Report button on Step 3 column

Select a system or business process record, and then click Download Report. The report downloads as a .pdf file.

Download Report dialog
Reviewing the Data Transfer Risk Score

To review the data transfer risk score, go to the Data Transfer Risk subtab. Under the Step 1: Review Data Transfer Risk Score column, click Review Score, and then select a record type.

Step 1: Review Data Transfer Risk Score column

Select a business process or system record from the list, complete the following actions, and then click Save & Close.

Review Data Transfer Risk modal
Review the Risk Factors
Define the Inherent Risk. When updating the inherent risk, review and confirm whether the "Suggested" Inherent Risk Score is accurate.
Explain Your Risk Score Selection
Starting a Business Process or System Data Transfer Risk Assessment

The Data Transfer Residual Risk Score is calculated after a Business Process or System Data Transfer Risk Assessment is completed. This assessment gives you insight into your Data Transfer Risk at both record and organization levels.

To start a data transfer risk assessment:

1

Under the Step 2: Complete Risk Assessment column, click Start Assessment.

Start Assessment button on Data Transfer Risk Step 2 column
2

Select Business Process Assessment or System Assessment depending on which record owned by the company affiliate you would like to assess first. The Complete System Data Processing Risk Assessment modal appears after System Assessment is selected (the same modal appears for Business Process Assessment).

Complete System Data Processing Risk Assessment modal
3

Select a business process or system record from the list, select an assessment template, and then click Start Assessment.

Assessment template selection for a system record
📋 Notes

Assessment template selection should be based on your company's risk tolerance or policies. Based on the country laws triggered, where applicable:

Select Mini PIA Controls Assessment if no (zero) risk factors are triggered.
Select PIA Controls Assessment if one risk factor is triggered.
Select DPIA Controls Assessment if two or more risk factors are triggered.

Risk factors are determined by the data elements, processing purposes, individual types, number of individual records, or data subject volume selected in the Business Process or System record. Multiple selections under a single risk factor count as one risk factor, except in the case of processing purposes.

If an assessment has already been created for the selected record, the Change Assessment and View Assessment buttons become available.

Change Assessment and View Assessment buttons
4

The system redirects you to the Assessment Manager setup page. From the Edit Assessment page, update the following sections as needed:

Assessment Details
Managers & Respondents
Users
Advanced Settings

For more information, see the Creating an Assessment section of the Assessment Manager User Guide.

5
Review and publish the assessment.
Downloading the Data Transfer Risk Assessment Report
📋 Note: You can only download a report if the assessment is in In Review or Approved state.

To download the report, click Download Risk Report under the Step 3: Review Data Transfer Residual Risk Score & Download Report column, and then select a record type.

Download Risk Report button on Data Transfer Step 3 column

Select a system or business process record, and then click Download Report. The report downloads as a .pdf file.

Download Report dialog
Reviewing the AI Risk Score

To review the AI Risk score, go to the AI Risk subtab. Under the Step 1: Review AI Risk Score column, click Review Score, and then select a record type.

Step 1: Review AI Risk Score column on the AI Risk subtab

Select a business process or system record from the list, complete the following actions, and then click Save & Close.

Review AI Risk modal
Review the Risk Factors
Define the Inherent Risk. When updating the inherent risk, review and confirm whether the "Suggested" Inherent Risk Score is accurate.
Explain Your Risk Score Selection
Starting the AI Risk Assessment

The AI Risk score is calculated after a Business Process or System AI Risk Assessment is completed. This assessment provides clear insight into AI Risk at both the record and organization levels.

To start an AI Risk assessment:

1

Under the Step 2: Complete AI Risk Assessment column, click Start Assessment.

Start Assessment button on AI Risk Step 2 column
2
Select Business Process Assessment or System Assessment depending on which record owned by the company affiliate you would like to assess first. The Complete [Business Process or System] AI Risk Assessment modal appears.
3

Select a business process or system record from the list, select an assessment template, and then click Start Assessment.

Assessment template selection for a business process record
📋 Notes

Assessment template selection should be based on your company's risk tolerance or policies. Based on the country laws triggered, where applicable:

Select Mini PIA Controls Assessment if no (zero) risk factors are triggered.
Select PIA Controls Assessment if one risk factor is triggered.
Select DPIA Controls Assessment if two or more risk factors are triggered.

Risk factors are determined by the data elements, processing purposes, individual types, number of individual records, or data subject volume selected in the Business Process or System record. Multiple selections under a single risk factor count as one risk factor, except in the case of processing purposes.

If an assessment has already been created for the selected record, the Change Assessment and View Assessment buttons become available.

Change Assessment and View Assessment buttons
4

The system redirects you to the Assessment Manager setup page. From the Edit Assessment page, update the following sections as needed:

Assessment Details
Managers & Respondents
Users
Advanced Settings

For more information, see the Creating an Assessment section of the Assessment Manager User Guide.

5
Review and publish the assessment.
Downloading the AI Risk Assessment Report
📋 Note: You can only download a report if the assessment is in In Review or Approved state.

To download the report, click Download Risk Report under the Step 3: Review Residual AI Risk Score & Download Report column, and then select a record type.

Download Risk Report button on AI Risk Step 3 column

Select a system or business process record, and then click Download Report. The report downloads as a .pdf file.

Download Report dialog
Contacts
6

Click the Contacts tab, and then add the Legal and Privacy Team contacts.

Contacts tab of the company affiliate record

The following roles are available to assign to new contacts:

EU Representative
UK Representative
Data Protection Lead
Privacy Lead
Data Protection Champion
Privacy Champion
Local Representative
Data Privacy Officer
7
Click Close once the setup is complete.
TrustArc  ·  Creating a Company Affiliate Record  ·  support.trustarc.com