Important notice
The Classic Experience will be sunset on
Aug. 1.
If you have questions, contact your Customer Success and Implementation Manager,
Account Manager, or
support@trustarc.com.
A Standard Business Process Record uses a template that lets you add data elements and processing purposes at the system record level. Once your system records are configured, you can create a data flow that details the movement of data elements between entities. This template supports the creation of Article 30 and Business Process summary reports.
This article walks through all nine tabs of the Standard Business Process Record — from capturing general details and system selections through to legal basis, risk assessments, and finalizing the record.
What you can do
✓Create a Standard Business Process Record using the Type 1 template
✓Add systems, data subjects, data elements, and processing purposes
✓Map data flows between systems and visualise them as a flowchart or geographic map
✓Assign legal bases for processing purposes and document security and retention controls
✓Review risk scores and link formal assessments such as DPIAs
✓Submit, publish, or route the record for approval
Prerequisites
✓Active TrustArc Assessment Manager account with permissions to create Business Process Records
✓Relevant System Records already exist in the System Inventory, or you are prepared to create new systems during the process
✓You know the name and purpose of the business process you are documenting
✓You have the contact details of the record owner and any relevant DPO or EU representative
📋 Notes
The Open FlowChart, Open Map, Comments,
Attachments & Links, Notes, and
Copy Record Link functions are centralised within
the top navigation of the record and are available on any
step.
When comments, notes, or attachments and links are added,
a count indicator becomes visible on the corresponding icon.
When editing the Revalidation Date, you can opt
to receive an in-app notification when it is time to revalidate.
Set the Notification Type
to In-app task.
Click the Activity log icon at any time to see who
made changes to the record and when.
Creating a Business Process Record
1
From the left side of the page, hover over the
Data Mapping & Risk Manager
icon, and then select
Business Processes.
2
From the top-right corner, click
Add New, and then
select New Business Process.
3
Select
Standard Business Process Template (Type 1),
and then click Continue.
📋 Note: The simplified
Business Process Record template lets you add data elements and
processing purposes at the record level rather than the system
level, making it quicker to create records and generate reports.
For more information, see
Creating a simple business process record.
Step 1 — Complete the Details tab
The Details tab is the starting point of every Business Process Record. It captures the record name, a description of the business process, and the owning contacts responsible for the record.
Enter a clear, descriptive name for the business process. This name appears throughout the platform and in reports.
Range of People Involved
Optional
Select from the dropdown the range or category of people whose data is processed (e.g., Employees, Customers).
Description
Optional
Use the rich text editor to describe what this business process does and why personal data is collected.
Entities with access
Required
Select which entities should have access to this record. Entities are pre-configured in your account.
1.2 Add Owning Organizations and Contacts
The Owning Organizations and Contacts section identifies which organizational entity owns the record and assigns the key contacts responsible for it — including the Data Protection Officer (DPO), EU Representative, and Business Process Owner.
1
Click Add. The
Add New Owner dialog appears.
2
Enter the following information:
Field
Required?
Description
Owning Entity
Required
Select the organization that owns this Business Process Record from the list of entities configured in your organization hierarchy.
Role
Optional
Select the role this entity plays in relation to this business process (e.g., Data Controller, Data Processor).
Reporting Organization for Article 30 Report
Optional
Check this box if this entity should be listed as the Reporting Organization in the Article 30 Record of Processing Activities report.
3
Review the
Data Protection Officer and EU Representative
section. It displays DPO and EU Representative contacts
already linked to the selected owning entity.
•Review
the DPO & EU Representative table. It shows:
Name, Role, Email, and Include in A30 Report.
•If
the table shows "No DPO or EU Representative
Contacts available," none have been configured
for this entity yet.
•To
add or update contacts, click
Update DPO or EU Representatives.
Complete the update and return to the dialog.
📋 Note:
DPO and EU Representative contacts are managed at
the organization level. Any changes made via
Update DPO or EU Representatives
will apply across all records linked to that owning
entity.
4
Review the
Business Process Owner
section. Confirm the correct owner is displayed.
If it is empty or incorrect, contact your TrustArc
administrator to update the assignment.
5
Click Save.
The dialog closes and the new owning organization
appears as a row in the
Owning Organizations and Contacts table.
Confirm the row displays correct values across all
columns: Name, Role, DPO & EU Representatives,
Reporting Organization, Record Owner Name, Email,
and Department.
📋 Note:
Changes to Owning Organizations and Contacts are
saved automatically when you click
Save in
the dialog. You do not need to save the entire record
separately.
Step 2 — Complete the Systems Selection tab
The Systems Selection tab identifies which systems — applications, tools, databases, or third-party services — are used in this business process. Each system added here also appears in the Build Data Flow tab.
2.1 Add a System
You can add systems from the existing System Inventory or create a new system directly.
1
Click the Add button
in the left panel.
2
A dropdown appears with two options:
•Add System From Inventory
— Search for and select a system that already exists
in your System Inventory.
•Create New System
— Opens a form to create a new system record on the
spot.
3
Select
Add System From Inventory.
A search field appears.
4
Type the system name and select it from the results.
5
The system appears in the left panel with its name, vendor,
and a data controller type indicator.
2.2 Configure a System
Click on a system in the left panel to configure it. The right panel displays five sub-tabs:
Data Subjects
Add data subjects that send information to this system in the context of this business process.
•Click Add in the Data Subjects sub-tab. Search for a data subject and select it.
•The table populates with: Data Subject name, Category, and Locations.
Data Recipients
Add any external parties or systems that receive data from this system.
•Click Add in the Data Recipients sub-tab. Search for and select a recipient.
Data Elements
Specify the categories of personal data handled by this system.
•Click Add in the Data Elements sub-tab. Select the data elements relevant to this system and business process.
Hosting Locations
Specify where this system's data is hosted geographically.
•Click Add in the Hosting Locations sub-tab. Select the relevant hosting locations.
Processing Purposes
Define why data is processed in this system for this business process.
•Click Add in the Processing Purposes sub-tab. Select the applicable processing purposes.
📋 Note: Use the three-dot menu (1) next to each system in the left panel to remove it or access additional options. Click Go to System Record (2) in the top-right corner to view the full system record in the System Inventory.
Step 3 — Complete the Build Data Flow tab
The Build Data Flow tab lets you map how data moves between the systems and data subjects configured in the previous tabs. Each system added in Systems Selection appears here for further configuration.
📋 Notes
•The
left panel lists all systems from Systems Selection. Use
the search field to find a specific system.
•Flowchart View
displays the data flow as a process diagram.
Map View displays
it geographically.
•Configurations
made in Systems Selection persist to the Sends Data To
and Receives Data From tabs.
•If
a system was not configured in Systems Selection, configurations
from the data inventory persist instead.
3.1 Configure the Data Flow for Each System
Click a system in the left panel. The right panel shows two tabs:
Sends Data to [System]
Configure what data subjects and systems send data into the selected system.
•Under Data Subjects, click Add to add data subjects that send information to this system. The table shows: Data Subject, Category, Location, Data Elements, and Sale of Data.
•Under Systems, click Add to add other systems that send information to this system. Use the Sale of Data toggle if any transferred data is sold — changes are saved automatically.
Receives Data From [System]
Configure what data subjects and systems receive data from the selected system.
•Click Add under Data Recipients to add recipients that receive data from this system.
•Click Add under Systems to add other systems that receive data from this system.
3.2 Configure Hosting Locations and Notes
•Click Configure Locations next to Hosting Locations to specify where the selected system's data is hosted.
•In the Notes field, enter any relevant notes about this system's role in the data flow.
3.3 Preview the Data Flow
In the left panel, click Flowchart View to see a visual diagram of how data flows between all configured systems and data subjects.
Click Map View to see the data flow displayed geographically by hosting location.
Step 4 — Complete the Purposes & Elements tab
The Purposes & Elements tab lets you add any additional data elements or processing purposes at the overall business process level that were not captured through Systems Selection. It also includes an Artificial Intelligence disclosure section.
4.1 Add Data Elements
•In the Data Elements section, click + Add. Search for and select a data element.
•The table populates with the Data Element name and Category. Repeat to add all relevant data elements.
•To remove entries, select the checkbox next to a row and click Bulk Delete, or use the individual row delete option.
4.2 Add Processing Purposes
•In the Processing Purposes section, click + Add. Search for and select a processing purpose.
•The table populates with the Processing Purpose name and Category. Repeat to add all relevant purposes.
4.3 Disclose Artificial Intelligence Usage
The Artificial Intelligence section records whether AI is used to process personal data in this business process. Select one of the following options:
•Yes, AI is utilized to process data in this record — Select if any AI tool or model processes personal data in this business process.
•No, AI is not utilized to process data in this record — Select if no AI is involved.
•It's unknown if AI is utilized to process data in this record — Select if you are unsure at the time of completing the record.
In the Notes field, enter any additional context that does not fit the structured fields above.
📋 Tip: If all data
elements and processing purposes were fully configured during
Systems Selection, you may not need to add anything on this tab.
Review to confirm before proceeding.
Step 5 — Complete the Security & Retention tab
The Security & Retention tab documents how long personal data is retained and what security controls are in place to protect it throughout this business process.
5.1 Set the Retention Period
•Enter a value in the Time Period field (e.g., "12").
•Select the Time Interval from the dropdown (e.g., Months, Years, Days).
•If the required interval is not listed, set Time Interval to Custom and enter a value in the Custom Time Interval field.
•To reset the retention period fields, click Clear.
📋 Note: Hover over
the ⓘ icon next to Retention Period for a tooltip. Retention
periods should align with your organization's data retention
policy and applicable regulations.
5.2 Select Security Controls
•Click the Select Security Controls dropdown. A searchable list of available controls appears.
•Check the box next to each applicable security control. Multiple selections are allowed. Use the search field to find a specific control quickly.
•Click outside the dropdown to close it. Selections are saved automatically.
📋 Tip: Select only
the security controls that are genuinely in place for this business
process. Overstating controls can create compliance risk if the
record is reviewed during an audit.
Step 6 — Complete the Custom BP Questions tab
The Custom BP Questions tab presents additional questions configured by your organization's administrator. These questions supplement the standard fields and are tailored to your organization's specific compliance or operational requirements. You must complete this tab before proceeding to the Legal Basis step.
Answer the Custom Questions
Questions may appear as checkboxes (select all that apply), radio buttons (select one answer), or dropdowns. Answer each based on the specifics of your business process.
•Complete all questions on the tab. Questions marked as required must be answered before the record can be submitted.
•Answers are saved automatically as you make selections.
The Legal Basis tab is where you assign the legal justification for each processing purpose associated with this business process record. This is a key compliance requirement under regulations such as GDPR. The table is populated automatically based on processing purposes added in Steps 2 and 4.
Assign a Legal Basis to Each Processing Purpose
•Review the list of processing purposes in the table. Each row represents one processing purpose tied to a category.
•In the Legal Basis column for each row, click the dropdown and select the appropriate legal basis (e.g., Consent, Legitimate Interests, Legal Obligation, Contract). Repeat for every row.
•Use the pagination controls at the bottom of the table to navigate between pages if there are more than five processing purposes.
📋 Note: If the Legal
Basis table is empty, no processing purposes have been added
yet. Return to the Systems Selection tab (Step 2) or
the Purposes & Elements tab (Step 4) to add them
first.
📋 Tip: The legal basis
you select should reflect your organization's actual justification
for the processing activity. Consult your Data Protection Officer
or legal team if you are unsure which basis applies.
Step 8 — Complete the Risk & Assessments tab
The Risk & Assessments tab provides a three-step risk workflow for each risk category and lets you link formal assessments (such as DPIAs) to this business process record.
8.1 Review Risk Scores
Three risk categories are displayed, each with a three-step workflow: Review Risk Score → Complete Risk Assessment → Review Residual Risk Score & Download Report.
Data Processing Risk
•Review Step 1: Review Inherent Risk Score. Status shows Incomplete until the record has sufficient data.
•Click Review Score to open the risk score details.
•Once Step 1 is complete, click Start Assessment in Step 2 to launch a risk assessment.
•After the assessment is approved, click Download Risk Report in Step 3.
Data Transfer Risk
•Follow the same three-step process: Review → Complete → Review Residual.
•Steps 1 and 3 show as Unavailable until the record contains sufficient data transfer information from the Build Data Flow tab.
AI Risk
•Follow the same three-step process: Review AI Risk Score → Complete AI Risk Assessment → Review Residual AI Risk Score.
•The AI Risk score reflects the AI disclosure made in the Purposes & Elements tab. Click Review Score to inspect the calculated risk level.
8.2 Manage Linked Assessments
•Review the assessment summary counters: Open, In Progress, Pending Approval, Failed, Approved, and Total.
•To link an existing assessment, click + Add and search for it by name.
•The assessments table shows: Assessment Name, Template, Status, and Owner.
📋 Note: Risk scores
are calculated automatically based on data entered across all
tabs. A score showing as Incomplete or Unavailable means more
information is needed in earlier tabs.
Step 9 — Complete the Tags tab
The Tags tab lets you classify the Business Process Record using your organization's configured tag groups. Tags make records easier to search, filter, and report on across the platform.
Assign Tag Values
•Review the tag groups displayed on the tab. Each group accepts one or more values depending on its configuration (single-select or multi-select).
•For each tag group, click the dropdown and select the appropriate value or values. For multi-select dropdowns, each selected value appears as a tag chip within the field.
•Repeat for all tag groups shown on the tab.
📋 Note: Tag groups and available values are managed by your administrator. If a tag group or value you need is missing, contact your administrator to have it added.
📋 Tip: Applying consistent tags across all Business Process Records makes it significantly easier to filter, search, and generate reports across your record inventory.
Finalizing the Business Process Record
Once all nine tabs have been completed, you are ready to change the record status from Draft and submit it for review or publish it.
1
Review each tab to confirm all required fields are complete
and all information is accurate.
2
In the top-right corner of the form, click the
Draft status
dropdown.
3
Select the appropriate status for your workflow (e.g.,
Published, In Review). Available options depend on your
organization's configuration.
4
If your organization uses an approval workflow, the record
is routed to the designated approvers automatically upon
status change.
5
To set or update when this record should next be reviewed,
click
Edit Revalidation Date
and select a date.
6
Click Close
to exit the Business Process Record form. All changes
are saved automatically.
TrustArc Data Mapping & Risk Manager · Creating a Standard Business Process Record · support.trustarc.com