Create and manage privacy assessments (preview)
Microsoft Priva Privacy Assessments (preview) allows your organization to discover and document instances of personal data use to capture both the type of data being used and critical details about the nature of its use.
To create a privacy assessment, you follow a process for creating a customizable questionnaire. You can start by using a template that has predetermined questions, which you can modify. Or you can start with a blank assessment to build a custom assessment that suits your needs. Your organization can maintain and use multiple assessments that may have different use cases or applications. An assessment can be assigned to an unlimited number of projects or other business assets.
Assessment management page
The Assessment management page is where you can create assessments, view the status of your organization’s assessments, and manage responses and assets.
Assets tab
The Assets tab lists details for all of the assets that your organization registered when setting up the metamodel to use privacy assessments. From here you can interact with assessments within the context of the asset.
Select an asset name to view and edit its properties, which you defined when registering the asset.
Select Privacy from the left navigation in an asset to view all privacy assessments related to that asset.
Assign an asset to an assessment
- From the asset's Privacy page, select the Assign command (clipboard icon).
- A panel that lists all of your active assessments appears. Check the box next to the assessments you want to assign to the asset.
Assessments tab
The Assessments tab lists all assessments and basic status information, including:
Status: Draft, not yet available for assignment; or Published, can be assigned and responded to.
Note
An assessment can be listed in the table multiple times in a nested list. For example, you might have a published version of the assessment that's available for responses, and at the same time you might also be working on edits to that assessment. In this case, the assessment displays in the table with an arrow to expand the list. When expanded, a row lists the assessment with a Published status, and another row lists a new version of the assessment with a Draft status.
Version: When edits are made to an existing assessment, a new version is created which is numbered sequentially. This allows you to track which version of an assessment has been responded to.
Created by: The user who created the assessment.
Last updated: The date and time that the assessment was last modified.
Assessment responses tab
The Assessment responses tab lists assessment submissions with answer details including the user who submitted it, which project or other asset the response is assigned to, and the date and time the submission was last interacted with. This view enables the privacy team, or users with privacy curator role, to review assessment responses.
Select an assessment name to view the answers given to the questions. You also see the Risk score for the assessment based on the answers provided. Learn more about understanding the risk score.
Creating assessments
When you create an assessment, you build a questionnaire that respondents will answer and submit for review and approval. You can choose whether to start from scratch with a blank assessment, or start with a template with preconfigured questions that you can modify. In either situation, you can always customize the questions and how they’re organized to suit your needs.
What to consider before you start to build an assessment:
- What to name it.
- Who in your organization should review the responses and act as approvers.
- Set your risk settings in the risk register so you can assign a risk factor to a question and specific risk levels to answers.
Basic steps:
Create the assessment.
Build the questionnaire and save it.
Publish the assessment.
Assign assets and set designated reviewers as required.
Designated reviewers review and can approve or reject the response. If rejected, the respondent can correct any issues and submit it again until it’s approved.
Create the assessment
In privacy assessments, go to the Assessment management page.
On the Assessments tab, select New assessment. From the dropdown menu, select on of the following options:
From template: Choose from either a privacy impact assessment template, or a basic data use inventory assessment template, which provides suggested questions that you can customize. You can preview each template before making a selection. Templates are provided for informational purposes only and shouldn't be construed as legal advice.
Custom: You build out a set of questions.
Enter a Name and Description for your assessment then select Next.
At Assign reviewers, a list of users with the Privacy Curator role appears. Select the check box next to the user or users whom you want to designate as a reviewer and approver of submitted assessments. When multiple users are selected, any single user has the authority to review and approve an assessment that has been submitted for review. Only designated reviewers can approve or decline an assessment response. If no reviewers are selected, then any user with the privacy curator role can approve or decline responses specific to that assessment.
Select Create.
The assessment builder closes and you arrive at the Edit Assessment page. This page is where you build or customize the questions for the assessment.
Edit assessment questionnaire
When building the questionnaire, you can choose question types, arrange questions into sections, and add logic to a question. You can also designate a risk factor that a question can identify and the risk level to associate with each answer option. See Configure risk.
Add and configure questions
Each question is grouped under section headers. Sections allow you to group questions into sections and name each section. A blank questionnaire automatically populates with a Section 1 block. Add a name and description for the section.
In the top command bar on the Edit Assessment page, select the Question dropdown menu, then select the type of question you want to insert. The question options are explained below:
Text: Allows the respondent to enter a response in a free text field.
Choice: You create answer options that the respondent chooses by a radio button. This is a single select option. If you edit the question to become multi select, the format changes to Checkbox.
Checkbox: You create answer options that the respondent chooses by a checkbox. Checkboxes are multiselect options. If you edit the question to become single select, the format changes to the Choice.
Date: Respondent can select a date from a calendar.
Informational: This block doesn’t require an answer; it’s a free text field where you can provide guidance, links, or any other information at a certain point in the questionnaire. This information is visible to the respondent and becomes part of the record for a submitted response.
For each question, enter a Short title and explanatory text for the question. For Choice or Checkbox questions, populate the answer options, adding as many as needed. The section titles and short titles appear on the left side of the screen as you add them.
You can make the question required for respondents by selecting the Require answer toggle to the on position (button slides to the right and the area fills in blue).
Checkbox questions automatically populate as Multi select. You can turn off the multi select toggle within the question block, which changes it to a single select Choice type question. Similarly, Choice questions automatically populate as single select; if you switch on the Multi select toggle, the format changes to Checkbox.
Preview the questionnaire
At any time during assessment creation or editing, you can preview how the assessment will appear to the respondent by selecting Preview in the upper right corner of the screen. In preview, you can test the answer functionality and ensure that any logic that you applied to questions works as intended. To exit preview mode and return to your assessment editor, select Close preview.
Apply logic to hide or display a question
You can apply logic to show or hide a question to the respondent based on the answer of a previous question. Starting with the question that you want to hide or display, select the Add logic command, whose icon resembles an L, at the top of the question block. A Conditions section appears beneath the question.
Select the conditions by which you want this question to be shown or hidden. You can choose between Any, meaning any of the conditions have to be met, or All, which means all conditions must be met. When the conditions are met, the Action options are to Hide or Show the question. You can test how the logic functions by selecting Preview and answering the preceding question.
Logical conditions are defined based on answers to previous choice or checkbox question types. To create a condition, you select the short title field of the previous question, the answer to which determines if this question is hidden or shown. Complete the logical condition by indicating which answers, or combinations of answers, will make the condition true. Then determine whether a true condition should hide or show the question.
Logic can only be applied to individual questions, not to sections.
Configure risk
You can assign a risk factor to a question, which allows you to designate the type of risk revealed by the answer and the level of risk depicted in the answer.
To set risk parameters for a question, slide the Configure risk toggle switch to the right, which is the on position. A Risk type field appears blow the toggle switch. The options in the Risk type dropdown menu correspond to the risk categories you set up in Risk settings.
For Choice and Checkbox questions, if you select a risk type, a dropdown menu appears next to each answer option. For each answer, select a risk level:
- No risk
- Low risk
- Medium risk
- High risk
Risk level definitions are determined by your organization. See Set risk settings for details about determining a risk framework for your organization.
Note
If risk is configured for a question, that risk information is not seen by the respondent when filling out the assessment. Risk information is only viewable to the assessment’s creator and reviewers.
Save the questionnaire
The assessment autosaves as you go. When you finish adding questions, it's a good idea to select Save in the upper right corner of the screen. The assessment is in Draft status, meaning it hasn't yet been published. You can continue to edit the assessment by selecting it from its row on the Assessments tab on the Assessment management page. Then on the assessment details page, select Edit.
An assessment must be published in order to move it from draft status and make it assignable.
Set risk settings in the risk register
On the Risk register page, you can outline and define the factors that you think contribute to privacy risk at your organization based on how personal data is used. The risk register allows you to create a framework in order to assess the overall risk level of the asset that is being assessed.
In the risk register, you create and define Risk factors based on what makes sense for your organization. For example, you might have a category that refers to a certain data type, such as Personal health data, or a category that refers to a high risk use of data, such as Purpose. How you categorize, define, and label risk categories is up to your organization.
For each Risk factor, you assign a level of risk for that category: Low, Medium, or High. How you define low, medium, and high, and which level you decide for a category, is up to your organization.
Learn how to set up your risk categories.
Understanding your risk score calculation
Risk factors are assigned at the question level, where you assign a risk type to a specific question. For single and multiselect questions, you can also designate a specific risk level of low, medium, or high risk for each answer value.
When respondents answer a question in an assessment response, the level of risk is automatically identified for multiple or single select questions. For text based answers where a risk factor is assigned, the reviewer has the opportunity to designate the risk level of low, medium, or high during review and based on the content of the answer (learn how).
Questions in a response will be annotated with the risk type that was assigned to them, as well as the highest risk level identified. For example, in a multiselect question, if answers are selected that are designated as both medium and high risk, that question is assigned a risk level of high.
A risk score is also calculated for the risk assessment in its entirety.
Each assessment that you create and add risk values to is considered a standardized scale against which each response can be measured. Each question in an assessment with identifiable risk is assigned a value based on the highest possible risk that could be selected in a response.
For a multiselect question, different answer options might have been assigned values of low, medium, and high. This question would be assigned a risk score of high, representing the highest risk that can be registered in a response for that question.
Text based questions are assigned the default risk value set in the risk settings when you created the risk factor.
The risk value of all assessment questions is summed up for each assessment.
For each assessment response, the risk values based on actual responses are added up and compared to the maximum risk calculation for that assessment.
The actual response risk divided by maximum potential risk yields a risk score as a percentage. This depicts the risk identified in an actual response relative to the potential overall risk that could have been identified by that assessment.
The score is then converted from a percentage to an integer. For example, if an assessment response equals 65-74% of the maximum potential response risk, it receives a score of 7.
The scores represent:
- 1 - 3 low risk
- 4 - 7 medium risk
- 8 - 10 high risk
All projects or uses of data assessed against a common assessment are evaluated against the same rubric. The scores indicate the relative risk level of each.
Set up your risk categories in Risk settings
When building an assessment, you can configure risk for a question and then assign a risk factor to that question from the list of risk factors your organization created. If you configure risk for Choice and Checkbox questions, you set a risk level of Low, Medium, or High for each answer option. Risk levels are registered automatically when a respondent answers the question and submits the response.
For a Text question, you can assign a risk factor but the level of risk must be designated during assessment review based on the content of the response to that question.
Here's an example of why you might want to assign an open ended risk to a text question: You might ask a question about whether a respondent intends to use biometric data. A binary yes or no might not reveal the full extent of the risk. By applying logic, you can ask a follow-up text question asking for an explanation of the use case and any protective measures. You can designate this question as having "biometric data risk" or "sensitive data risk." The reviewer with the full context of the answer can determine if this question reflects a low, medium, or high risk.
Respondents can't see risk settings for questions when filling out the assessment. Risk information is only viewable to the assessment’s creator and reviewers.
To set up a risk category:
Go to the Risk register page and select Risk settings in the top right corner. A Risk settings window appears.
Select Add risk factor.
Add a Category name, Description, and set a Risk rating of Low, Medium, or High.
Select Add.
The category you added now appears on the Risk settings window. The associated risk level you chose for the factor is shaded in gray.
To edit a category’s properties or risk level, select the pencil icon to its right. You can archive a category by selecting the trash icon to its right. When you archive a category, it remains in the system to support legacy assessments with those risk designations but can’t be included in a new assessment.
When a respondent submits an assessment, a Risk score is provided based on the answers according to the risk settings. You can see the risk score by going to the Assessment responses tab on the Assessment management page and selecting an assessment.
View organizational privacy risk
View privacy risk in the risk register
If you want to view risk across projects and other assets, you can do so on the Risk register page. The risk register presents two views of risk across your organization.
The View by assessment response tab: This view shows risk per assessment response, with each response grouped under the project or asset that it pertains to. The Assessment risk score is the aggregate risk score calculated for an assessment response, reflecting total privacy risk from a response.
The View by risk factor tab: This risk view is also grouped by the project or asset that the risk pertains to. But instead of reflecting aggregate risk for a risk response, the tab depicts each risk factor that was present in any of the risk responses for that asset, the number of times that risk factor was identified, and the risk level of each occurrence.
View privacy risk in the risk response tab
If you want to review all questions from all assessment responses that relate only to a specific asset, you can navigate to the relevant asset's details page. Locate an asset by going to the Assessment management page and selecting the Assets tab. You can also search for the asset in the Data Catalog.
On the asset's details page, select the Risk Responses tab on the left navigation. Here you see an account of each assessment completed for the asset, and the questions in each assessment that carry identified privacy risk. You can view the question and answer, the risk type, and the risk level. You can also manage or edit the risk from this location.
Save as a draft and publish the assessment
When you save work on an assessment, it appears on the Assessments tab on the Assessment management page with a Draft status. The assessment can be edited but it’s not yet available to send to respondents to complete.
When you’re ready to make the assessment available for users to complete, you first need to publish it. Select the draft assessment from the list on the Assessments tab, then select Publish in the upper right corner of the page. The assessment is now available to assign to a user in your organization.
Assign assessment to an asset
On the Assessments tab on the Assessment management page, select the assessment to open its details page. This page contains details about the assessment, including how many were sent out for completion, how many are in progress, and how many were submitted.
Select Assign near the top of the page. From the Assign assessment window you can make two selections:
- Assets: Select one or more assets to assign to the assessment, then select Next.
- Reviewers: Select one or more users as reviewers, who will approve or reject the submitted assessment. The select Assign.
Respond to and submit an assessment
When an assessment is assigned to an asset, the owner gets an email that an assessment was assigned. The email links to the asset in the Data Catalog. The Privacy page in the asset lists all assessments assigned to it, along with details about when the assessment was assigned, its completion status, and date completed.
Select the name of the assessment you want to take, which opens up the assessment’s questionnaire. You can save progress and come back later to complete by selecting Save in the top right corner of the screen.
When you’re ready to submit your completed assessment, select the Submit option from the dropdown command next to the Save button.
The assessment now has a status of Submitted on the asset's Privacy page. The assessment’s reviewers can now review the assessment response to approve or decline it.
Review and approve an assessment response
A reviewer for an assessment receives an email when an assessment response is submitted. The reviewer can select the link in the email to go to the assessment or access the submission by finding it on the list on the Assessment responses tab on the Assessment management page.
Find the response listed under the Assessment name column with a Submitted status. Select the assessment name to open the response and review the answers to the questions. A Risk score panel on the right side displays a risk score based on the answers provided. Each question indicates a risk level if one was detected, and the panel at right displays the overall risk for the assessment response. You can close the panel by selecting X, and show the panel again by selecting the Risk score button.
To approve the assessment response, select Approve in the top right corner of the screen.
If risk was detected for the response and you decide to decline it, select Decline. The respondent is notified saying that the assessment was declined.
Responding to a declined assessment
The project owner sees the assessment listed on the Privacy tab of the project details page with a status of Declined. The project owner can select the assessment, see their previous answers, and edit their answers. Select Save if you need to save progress and continue working on answers at a later time. When ready to resubmit to the reviewer, select Submit.
Edit the risk for a question while reviewing a response
You can change the designated risk level for a question during review or even after approving a response. For example, if you gained additional information or context since you first created the questionnaire, you might decide that the original risk level was incorrect and that you need to recalibrate the risk level.
To edit the risk level, select the pencil icon next to the risk level for a question. The Edit risk flyout pane appears. You can change the risk level and risk type from the dropdown menus and add a Change description that explains the adjustments. Set the Risk status as Active if it's still relevant, or Inactive if the risk is no longer relevant. All changes are captured in the Risk history section of the panel.
Select Save to save your changes. Notice any changes to the risk score on the assessment response page.
Legal disclaimer
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for