The Applications & Systems module in Secure Privacy's Governance Solution gives your organization clear, real-time visibility into every system, application, and infrastructure component that processes personal data. Maintain a live system inventory, assign ownership, track privacy controls, and monitor risk scores — supporting GDPR Article 30 ROPA requirements and ongoing privacy and security governance.
Who Is This For?
IT administrators maintaining a complete inventory of all systems that process personal data across the organization
Privacy officers tracking which systems handle sensitive or special category information and their associated compliance status
Security teams monitoring system risk levels, privacy controls, and compliance review history
Accessing the Systems Module
From the left sidebar in the Governance Solution, navigate to Data Management > Systems. The main view displays a filterable, searchable table of all registered systems.
Building Your GDPR System Inventory
Manual entry
Click + Add System and complete the system record with the following fields:
Field |
Description |
Example |
|---|---|---|
Name |
System or application name |
"Salesforce CRM" |
Category |
Type of system |
CRM, Analytics, HR, Cloud Storage |
Type |
System deployment classification |
SaaS, On-Premise, Hybrid |
Status |
Current operational status of the system |
Active, Under Review, Decommissioned |
Launch Date |
Date the system was deployed or activated |
2024-01-15 |
Impact |
Privacy impact level of the system |
High, Medium, Low |
Data Types |
Categories of personal data processed by the system |
Contact Info, Financial, Health |
Privacy Controls |
Technical controls currently in place for the system |
Encryption, Access Control, DLP |
Bulk import
Click Import to upload multiple systems at once from a structured file. This is the recommended approach when migrating an existing system inventory from spreadsheets or other compliance tools.
System Owner Assignment
Every system should have a designated owner responsible for maintaining its compliance status and responding to privacy and security obligations. Assign owners from your organization's member list in the Members module. System owners automatically receive notifications about:
Upcoming review dates for their assigned systems
New risks linked to their systems in the Risk Management module
Tasks assigned to them in relation to their systems
System Risk Scoring
The Governance Solution generates a system-specific risk score for each registered system, calculated based on:
Types and sensitivity of personal data processed by the system
Privacy and security controls currently in place
Number and severity of risks linked to the system in the Risk Management module
Compliance status and review history — including how recently the system was last assessed
Filtering and Exporting the System Inventory
Use Filters to narrow the system inventory view by category, type, status, impact level, or data types. Click Export to download the full system inventory for audit submissions, regulatory reporting, or ROPA documentation purposes.
System Inventory Best Practices
Register all systems that process personal data — including third-party SaaS tools
Many GDPR compliance gaps originate from unregistered third-party applications. Ensure every SaaS tool, cloud service, and on-premise application that touches personal data is recorded in the inventory — including marketing platforms, HR systems, and analytics tools.
Review the system inventory quarterly
Systems are regularly added, changed, or decommissioned. A quarterly inventory review identifies new systems that have not yet been registered and flags decommissioned systems whose records should be updated — keeping your ROPA accurate and current.
Assign clear ownership for every system
Unowned systems create compliance blind spots. Every system in the inventory should have a named owner who is responsible for its review schedule, risk monitoring, and task completion — ensuring accountability is never ambiguous.
Link systems to related processes in the Process Register
Connecting system records to their associated processing activities in the Process Register creates end-to-end data flow visibility — from the system processing personal data through to the documented processing activity in your ROPA, and any linked risk assessments or DPIAs.
Next Steps
Link registered systems to processing activities in the Process Register for full ROPA traceability
Track system-specific privacy and security risks in the Risk Management module
Review system inventory status and risk distribution through Reporting & Analytics
Frequently Asked Questions
Does the system inventory support GDPR Article 30 ROPA requirements?
Yes. The Applications & Systems module captures the system-level detail that underpins an accurate Record of Processing Activities — including data categories processed, privacy controls in place, and system ownership. Linking system records to process entries in the Process Register creates the complete, structured ROPA documentation required under GDPR Article 30.
What is the difference between the Systems module and the Process Register?
The Systems module inventories the technical systems and applications that process personal data — capturing what the system is, who owns it, what data it handles, and what controls are in place. The Process Register documents the processing activities themselves — the purpose, lawful basis, data categories, and retention periods. The two modules complement each other: systems feed into processes, and together they form a complete ROPA.
Can the system risk score be used to prioritize DPIA pre-screening?
Yes. Systems with high impact ratings and elevated risk scores are strong candidates for DPIA pre-screening under GDPR Article 35. Your DPO can use the system risk score alongside the data categories and privacy controls recorded in the inventory to determine whether a full DPIA is required before or during a system's deployment or significant change.