Important notice
The Classic Experience will be sunset on
Aug. 1.
If you have questions, contact your Customer Success and Implementation Manager,
Account Manager, or
support@trustarc.com.
Company affiliate records represent sub-organizations, affiliates, or subsidiaries of a primary company entity in TrustArc Data Inventory. Before setting up System records, you should first set up your company affiliate records to ensure the correct organizational hierarchy is in place.
This article explains how to create and configure a company affiliate record, including completing the Details and Contacts tabs, using the top navigation features (logo upload, activity log, and tags), and working with Risk & Assessments — covering inherent risk scores, residual risk assessments, data transfer risk, and AI risk.
What you can do
✓Create and configure a company affiliate record in Data Inventory
✓Upload a logo, view activity logs, and manage tags from anywhere in the record
✓Review and update inherent risk scores for data processing, data transfer, and AI risk
✓Start residual risk assessments and download risk reports
✓Add Legal and Privacy Team contacts to the record
Prerequisites
✓Active TrustArc account with Data Inventory access
✓Company affiliate records must be set up before System records
✓Access to Assessment Manager is required to create assessments
Top Navigation Features
The Upload Logo (1), Record Link (2), Activity Log (3), and Tags (4) features are centralized within the top navigation of the company affiliate record. This allows you to use these features at any step during record creation.
Upload Logo
Click the Upload Logo field to upload the company affiliate's logo. Once uploaded, right-click the logo to replace or delete it.
Activity Log
Click the Activity Log icon to open a panel on the right side of the page showing the record's activity logs.
Tags
Click the Tags link to open a panel on the right side of the page showing tags and tag groups associated with the record. From this panel, you can also create and save new tags.
Creating a Company Affiliate Record
To set up a company affiliate record, follow these steps:
1
From the left side of the page, hover over the
Data Mapping & Risk Manager
icon, and then select
Data Inventory.
📋 Note: The
All Records tab is selected by default.
2
Click to open the
Company Records
tab.
3
From the top-right corner of the page, click
Add New, and
then select
Company Affiliate Record.
4
Complete the Details
tab. At minimum, you must enter the company name and
the country where the company affiliate is located.
📋 Note: You
can configure the
Owned By field
(1) via the
Organization Hierarchy application. To access it, click
Configure Owned by In Organization Hierarchy.
5
Click the
Risk & Assessments
tab, review the Risk Scores, and complete the recommended
assessments for the Business Process and System records
owned by the company entity.
Charts at the bottom of this tab show how many assessments
are in Open,
In Progress,
In Review, and
Approved states.
📋 Note: By
default, only 10 assessment records are displayed. Use
the
Search Assessment Name
field to locate records not shown on the first page.
All table columns are sortable. You must have access
to Assessment Manager to create an assessment. When
Create Assessment
is clicked, the Create Assessment page opens in a new
browser tab.
Risk & Assessments
Reviewing the Inherent Risk Score
To review the inherent risk score for business process and/or system records owned by the company affiliate, go to the Data Processing Risk subtab. Under the Step 1: Review Inherent Risk Score column, click Review Score, and then select either Business Process Score or System Score.
Depending on the record type selected, the Review System Risk or Review Business Process Risk modal appears. Select a record and update the inherent risk score.
📋 Note: When updating
the inherent risk, review and confirm whether the "Suggested"
Inherent Risk Score is accurate.
Starting a Residual Risk Assessment
After evaluating inherent risk, start an impact assessment to evaluate control effectiveness and calculate residual risk.
To start an assessment:
1
Under the
Step 2: Complete Risk Assessment
column, click
Start Assessment,
and then select
Business Process Assessment
or System Assessment
depending on which record you would like to assess first.
A
Complete [Business Process or System] Data Processing Risk Assessment
modal appears.
2
Select a business process or system record from the list,
select an assessment template, and then click
Start Assessment.
📋 Notes
Assessment template selection should be based on
your company's risk tolerance or policies. Based
on the country laws triggered, where applicable:
•Select
Mini PIA Controls Assessment
if no (zero) risk factors are
triggered.
•Select
PIA Controls Assessment
if one risk factor is triggered.
•Select
DPIA Controls Assessment
if two or more risk factors
are triggered.
Risk factors are determined by the data elements,
processing purposes, individual types, number of
individual records, or data subject volume selected
in the Business Process or System record. Multiple
selections under a single risk factor count as one
risk factor, except in the case of processing purposes.
If an assessment has already been created for the
selected record, the
Change Assessment
and View Assessment
buttons become available.
3
The system redirects you to the Assessment Manager setup
page. From the
Edit Assessment
page, update the following sections as needed:
•Assessment
Details
•Managers
& Respondents
•Users
•Advanced
Settings
For more information, see the
Creating an Assessment
section of the Assessment Manager User Guide.
4
Review and publish the assessment.
Downloading the Residual Risk Assessment Report
📋 Note: You can only
download a report if the assessment is in
In Review or
Approved state.
To download the report, click Download Risk Report under the Step 3: Review Residual Risk Score & Download Report column, and then select Business Process Risk Report or System Risk Report.
Select a system or business process record, and then click Download Report. The report downloads as a .pdf file.
Reviewing the Data Transfer Risk Score
To review the data transfer risk score, go to the Data Transfer Risk subtab. Under the Step 1: Review Data Transfer Risk Score column, click Review Score, and then select a record type.
Select a business process or system record from the list, complete the following actions, and then click Save & Close.
•Review the Risk Factors
•Define the Inherent Risk. When updating the inherent risk, review and confirm whether the "Suggested" Inherent Risk Score is accurate.
•Explain Your Risk Score Selection
Starting a Business Process or System Data Transfer Risk Assessment
The Data Transfer Residual Risk Score is calculated after a Business Process or System Data Transfer Risk Assessment is completed. This assessment gives you insight into your Data Transfer Risk at both record and organization levels.
To start a data transfer risk assessment:
1
Under the
Step 2: Complete Risk Assessment
column, click
Start Assessment.
2
Select
Business Process Assessment
or System Assessment
depending on which record owned by the company affiliate
you would like to assess first. The
Complete System Data Processing Risk Assessment
modal appears after System Assessment is selected (the
same modal appears for Business Process Assessment).
3
Select a business process or system record from the list,
select an assessment template, and then click
Start Assessment.
📋 Notes
Assessment template selection should be based on
your company's risk tolerance or policies. Based
on the country laws triggered, where applicable:
•Select
Mini PIA Controls Assessment
if no (zero) risk factors are
triggered.
•Select
PIA Controls Assessment
if one risk factor is triggered.
•Select
DPIA Controls Assessment
if two or more risk factors
are triggered.
Risk factors are determined by the data elements,
processing purposes, individual types, number of
individual records, or data subject volume selected
in the Business Process or System record. Multiple
selections under a single risk factor count as one
risk factor, except in the case of processing purposes.
If an assessment has already been created for the
selected record, the
Change Assessment
and View Assessment
buttons become available.
4
The system redirects you to the Assessment Manager setup
page. From the
Edit Assessment
page, update the following sections as needed:
•Assessment
Details
•Managers
& Respondents
•Users
•Advanced
Settings
For more information, see the
Creating an Assessment
section of the Assessment Manager User Guide.
5
Review and publish the assessment.
Downloading the Data Transfer Risk Assessment Report
📋 Note: You can only
download a report if the assessment is in
In Review or
Approved state.
To download the report, click Download Risk Report under the Step 3: Review Data Transfer Residual Risk Score & Download Report column, and then select a record type.
Select a system or business process record, and then click Download Report. The report downloads as a .pdf file.
Reviewing the AI Risk Score
To review the AI Risk score, go to the AI Risk subtab. Under the Step 1: Review AI Risk Score column, click Review Score, and then select a record type.
Select a business process or system record from the list, complete the following actions, and then click Save & Close.
•Review the Risk Factors
•Define the Inherent Risk. When updating the inherent risk, review and confirm whether the "Suggested" Inherent Risk Score is accurate.
•Explain Your Risk Score Selection
Starting the AI Risk Assessment
The AI Risk score is calculated after a Business Process or System AI Risk Assessment is completed. This assessment provides clear insight into AI Risk at both the record and organization levels.
To start an AI Risk assessment:
1
Under the
Step 2: Complete AI Risk Assessment
column, click
Start Assessment.
2
Select
Business Process Assessment
or System Assessment
depending on which record owned by the company affiliate
you would like to assess first. The
Complete [Business Process or System] AI Risk Assessment
modal appears.
3
Select a business process or system record from the list,
select an assessment template, and then click
Start Assessment.
📋 Notes
Assessment template selection should be based on
your company's risk tolerance or policies. Based
on the country laws triggered, where applicable:
•Select
Mini PIA Controls Assessment
if no (zero) risk factors are
triggered.
•Select
PIA Controls Assessment
if one risk factor is triggered.
•Select
DPIA Controls Assessment
if two or more risk factors
are triggered.
Risk factors are determined by the data elements,
processing purposes, individual types, number of
individual records, or data subject volume selected
in the Business Process or System record. Multiple
selections under a single risk factor count as one
risk factor, except in the case of processing purposes.
If an assessment has already been created for the
selected record, the
Change Assessment
and View Assessment
buttons become available.
4
The system redirects you to the Assessment Manager setup
page. From the
Edit Assessment
page, update the following sections as needed:
•Assessment
Details
•Managers
& Respondents
•Users
•Advanced
Settings
For more information, see the
Creating an Assessment
section of the Assessment Manager User Guide.
5
Review and publish the assessment.
Downloading the AI Risk Assessment Report
📋 Note: You can only
download a report if the assessment is in
In Review or
Approved state.
To download the report, click Download Risk Report under the Step 3: Review Residual AI Risk Score & Download Report column, and then select a record type.
Select a system or business process record, and then click Download Report. The report downloads as a .pdf file.
Contacts
6
Click the Contacts
tab, and then add the Legal and Privacy Team contacts.
The following roles are available to assign to new contacts: