Create privacy rules for privacy assessments (preview)
In Microsoft Priva Privacy Assessments (preview), you can create privacy rules so that assessments can be automatically assigned when rule conditions are met based on the state of the Purview Data Map. Using a simple condition builder, you create a rule based on data classifications, sensitive information types (SITs) in the Microsoft Purview Data Map, or other metadata like attributes. The rule routinely surveys your data map to determine if any of the states meet the conditions of the rules that you defined. When the conditions of the rule are met, an assessment can be automatically assigned to those projects without having to be manually assigned.
There are primarily two types of privacy rules. The first rule type evaluates your business assets (for example, projects) in the context of the data assets or data processes that are related to it. The second rule type identifies active data processes (for example, pipelines) that meet the conditions of the rule based on the data classifications or SITs that are processed.
Tip
The data classifications available for defining privacy rules include the classifications provided in the data map, as well as any custom classifications created by your organization.
Rule components
A privacy rule is composed of three parts:
Purpose: Determines whether your rule identifies a business asset (for example, project) and related data, or active data processes (for example, an Azure Data Factory Pipeline) that meet the rule conditions.
Target: The type of entity that is assigned an assessment if rule conditions are met; for example, the type of business asset or the type of data process that should be evaluated.
Conditions: Defines the state that the rule will be evaluating for. When they're true the action specified in the next step is taken.
Steps to create a privacy rule
In privacy assessments, go to the Privacy rules page and select New. Add a Rule name and a Description, then progress through the steps listed below.
Step 1. Select the purpose of this rule: Designate what the rule evaluates:
Identify business uses of personal or sensitive data that require assessment (most common): Use this option to evaluate logical business assets in the data map, such as a project or a business process. If the business asset or physical data or processes it's related to meet the conditions you define in this rule, a privacy assessment you choose is automatically assigned to the business asset.
Identify active processes across your data estate that use personal or sensitive data: This option allows the privacy rule to identify active data processes across your data estate. The processes can be data pipelines, copy or transform activities, or other sets of actions that impact your data estate but aren't necessarily represented with an association to a logical business asset indicating their use. If these processes meet the condition of the rule, you can identify them, automatically assign an assessment, and evaluate why they're processing in-scope data.
Go to the tab below which aligns with your rule's purpose to view the rest of the steps.
- Identify business uses of personal or sensitive data that require assessment
- Identify active processes across your data estate that use personal or sensitive data
Step 2. Select the type of business asset that this rule will evaluate
Select the type of asset that the rule applies to. If your organization created custom asset types, they appear in the dropdown menu selection along with the default Microsoft Purview asset types.
Note
Privacy rules can only apply to one business asset type at a time. If you wish to evaluate several types of assets you will need to create multiple rules.
Step 3. Define rule conditions
Build the conditions that, when met, will assign an assessment. You can add multiple conditions, one at a time, by selecting Add condition.
Use the dropdown menu to select whether the rule applies when All or Any of the conditions you're about to set are met. In the condition builder:
The Define a specific relationship in your data map (optional) is an optional step. Leaving the toggle Off is likely the common setting. If you leave the toggle off, make the following selections:
At Condition type select one of the following options:
- Data classification: Defines the condition based on known data classifications on an in-scope asset.
- Attribute: Defines the condition based on standard metadata fields for each asset type, such as name, description, and start and end dates.
- Managed attributes: Custom attributes added to your data map by your organization.
- Sensitive information types (SITs): Defines the condition based on known SITs in an in-scope asset.
At Scope:
Select Includes for the simplest and most broadly inclusive rule.
If you want to tailor the condition to only actively processed data, select Process only as input, Processes only as output, or Processes for both input and output.
At Operator, select any of the.
At Data type, select one or more items from the list. The list values are determined based on your selection for Condition type.
Toggle on: Select the toggle switch to the On position if a specific relationship or type of asset is critical to the condition you set. For example, instances where a rule should only evaluate a DataPipeline that is associated with a project exclusive of other assets that might be related as well. Then make the following selections:
Select a Relationship that's defined in your data map between the asset you chose in step 2 and other Related asset types in your data estate.
Make your selections for Condition type, Scope, Operator, and Data type according to the instructions above.
Step 4. Select assessments to automatically assign when all the conditions of this rule are met
Select one of your organization's assessments from the Assessment dropdown menu, which will be assigned once the conditions you set are met.
Create rule and run an impact assessment
When you're finished with steps 1-4, you have two options for creating the rule:
Select Create and activate rule to create the rule and activate it. The rule runs, identifies any in-scope assets, and assigns assessments.
Select Create as draft and run impact assessment to create the rule and save it in a draft state. You can preview how it impacts any of your business activities by viewing the impact assessment for a draft rule:
- Select the rule you created on the Privacy rules page.
- Select the Impact history tab.
- View the details for each time the rule was run in its draft state.
Note
The impact assessment will not assign any assessments until the rule is turned on.
The Results column on the Impact History tab shows how many activities that met rule conditions were identified. Select See results to view more details in the Rule impact estimation flyout pane. If you're satisfied with the results, you can select Turn on rule to activate and run it, or select Edit to make changes to the rule.
Verify that the rule works
You can verify whether the rule works as designed by seeing if an asset that meets the rule's conditions has the intended assessment assigned to it.
Go to the Assessment management page in privacy assessments, and then select the Assets tab. Select the asset name from the list, go to its Privacy page, and look for the assessment listed on the page. If you don't see the expected assessment, go back and edit the rule.
Tip
Rules run on a cadence. If you don't see an assessment assigned as expected, check back after several hours. If a rule's impact history or results aren't reflecting an asset that you believe to be in scope, evaluate the asset and any related data assets to ensure that they will meet the conditions you defined in the rule. Evaluate all rule conditions to ensure that an exclusionary condition hasn't been created in error.