Skip to main content

Conducting Privacy Assessments

Updated this week

Feature availability: You need to be on a current Vanta plan and have a privacy framework enabled to use Privacy Management features.

Privacy assessments are a part of Privacy Management in Vanta. Use the Assessments page in Vanta to create, review, approve, and manage privacy assessments like Data Protection Impact Assessments (DPIAs), Legitimate Interest Assessments (LIAs), and Transfer Risk Assessments (TRAs) directly in the platform. Assess privacy risks in your data processing activities to meet regulatory requirements.

Creating a privacy assessment

To create a privacy assessment:

  1. On the Assessments page, click the Create assessment button.

  2. Select the type of assessment to create: Data Protection Impact Assessment, Legitimate Interest Assessment, or Transfer Risk Assessment.

  3. Fill out the required fields: Name and Processing description.

  4. Click the Create button.

  5. Fill out the impact assessment details.

  6. Add risk scenarios that have been identified as part of the assessment.

  7. Optionally, link processing activities in your data inventory to this assessment.

  8. When you’re ready, submit the assessment for approval.

Editing a privacy assessment’s details

A privacy assessment can be edited when it is in a draft state, before it has been submitted for approval.

If you want to make changes to an existing assessment that's been Approved, you need to create a new version of the assessment—click the ••• three dots at the top right-hand corner of the assessment, and select Create new draft.

Filling out the assessment

Different types of assessments have different questions about the nature of the processing that you’re performing.

For a Data Protection Impact Assessment, you should document how your project affects data subjects and their personal data. For a Legitimate Interest Assessment, you should document the justification of your processing. For a Transfer Risk Assessment, you should document how data is transferred across boundaries.

For all types of assessments, you should link processing activities in your data inventory and document the associated risks.

Linking processing activities

To give additional context to a processing activity, you can link them to an assessment. This lets you see all the assessments directly from the processing activity, and shows related assessments together.

Processing activities can be linked to assessments at any time, including after the assessment has been approved.

To link a processing activity to an assessment:

  1. In the Linked activities section at the top right-hand corner of the screen, select the + plus icon.

  2. Search or scroll to select one or more processing activities to link to the assessment.

Linking risk scenarios

Assessments often describe the risks a particular processing activity poses to data subjects, to the business, or both. To describe the risks in a processing activity, you can add risk scenarios that describe the inherent risk, the treatment plan, and the residual risk of a scenario.

You may want to use a separate risk register for privacy risks.

To add a risk scenario to an assessment:

  1. Create the risk scenario first, describing the likelihood and severity of the risk, mitigation plans, and residual risk.

  2. In the Risk scenarios section at the bottom of the assessment, select the Add risk scenario button.

  3. Search or scroll to select a risk scenario, then select the Add button. You can add multiple risk scenarios to an assessment.

Submitting privacy assessments for approval

When you have completed the assessment, added risks, and documented any consultations with internal or external stakeholders, it should be submitted for approval to the relevant stakeholders.

Submitting for approval

Once an assessment is submitted for approval, it cannot be edited. If you need to make changes to an assessment while it is being approved, one of the approvers should reject the approval.

You can select yourself as an approver. You will not need to make an approval decision if you select yourself—you'll automatically approve the assessment.

To submit an approval:

  1. Select the Submit for approval button at the top right-hand corner of the assessment.

  2. Select one or more approvers for the first step of the approval process. Each of these approvers will be notified immediately.

  3. If you want to have an additional approval step, click the Add new approval step button. You can select one or more approvers for the next step. Each of these approvers will be notified once the previous step has been completed.

  4. When you have identified all approvers and steps, select the Submit for approval button.

Approvers must be users in Vanta. If you need consultation or approval from someone who is not a Vanta user, that should be documented separately in the assessment text.

Making an approval decision

When you have been assigned as an approver for an assessment, you will be notified in the My Work area. You should read the assessment and then decide whether to approve it or reject it.

To make an approval decision:

  • Select the Submit approval decision button in the top right-hand corner of the assessment.

  • Select the Approve button if you want to approve the assessment. If there are additional approvers, the assessment will require their decision as well.

  • Select the Declined button if you want to decline the assessment. It will be returned to a draft state so that the owner can make the necessary changes.

Periodically reviewing assessments

You should update assessments when changes occur, but you may also want to review assessments periodically to ensure that they are up-to-date and that controls are still effective.

Assessments in Vanta have a review date that is set one year from the approval of an assessment, but this date can be changed.

Assigning an owner

The assessment owner will be notified when it is time to review the assessment. By default, the person who created an assessment is the owner of the assessment.

You can change an assessment’s owner at any time, including after it has been approved.

To change the owner:

  1. Select the Owner at the top of the assessment (or select Unassigned if there's no owner assigned).

  2. Search or scroll to find the new owner for the assessment.

  3. Click on their name to make them the assessment owner.

Selecting a review date

The review date is set for one year after the approval of an assessment. This is indicated at the top of an approved assessment.

To change the review date:

  1. Select the review date at the top of the assessment.

  2. Scroll to find the new review date for the assessment.

  3. Click on the day to set it.

Managing assessments

Your assessment list will show the complete list of privacy assessments in your organization. The list will show the name and type of assessment, its risk level, its status, owner, and approvers.

Viewing and filtering

On the Assessments page, use the tools above the table to search and filter your assessment list.

Select an assessment from the list to view the complete assessment.

Assessment status

Status

Description

Draft

An assessment has been started, but is not yet complete. Once the assessment is finished, it should be sent for approval.

Pending approval

An assessment has been completed, and sent for approval. The assessment cannot be edited while it is pending approval. If you want to make changes to the assessment, an approver should reject the assessment.

Approved

An assessment has been completed, and all approvers have accepted the assessment. The assessment cannot be edited, but a new version of the assessment can be created to reflect changes to the processing activity or risks..

Reviewing assessment history

To see older versions of an assessment, click the History tab when viewing the assessment. You will see the previous versions of an assessment, ordered chronologically.

You can view a prior version by clicking on it. When you’re viewing an outdated version, there will be a banner at the top of the page telling you that it is not the newest version of the assessment, and that a newer version exists.

Deleting an assessment

Please note: Deletion is permanent. Once an assessment is deleted, it cannot be recovered.


You can delete an assessment, including all historic versions, and information about its approval state. When you delete an assessment, it will no longer be linked to processing activities.

Deleting an assessment does not delete risks that were added to it.

To delete an assessment:

  1. On the Assessments page, on the right-hand side of the assessment that you want to delete, click the ••• three dots.

  2. Click Delete.

  3. A pop-up modal will ask you to confirm that you want to delete the assessment—click the Delete button.