Privacy subject detail — identity, records of processing (GDPR Art.30 ROPA), and the subject's assessment and incident history

Last updated: July 12, 2026 by Steve

Privacy Subject Details

A privacy subject is the durable, reusable thing your office assesses — a program, system, initiative, data-sharing arrangement, process change, or technology adoption — and it is shared across every assessment and incident that touches it. The subject detail panel is where you maintain the subject's identity and its GDPR Article 30 Record of Processing Activities (ROPA), and where you review its assessment and incident history. The panel is fully editable when you open it from the Subjects directory and read-only when you drill into it from an assessment. It has three tabs: Details, Assessment history, and Incident history.

Opening a Subject

Open a subject from the Subjects directory (click a card) to edit it, or click the subject name inside an assessment to drill in read-only. Because subjects are shared, durable records, they are always edited from the directory — you cannot rename or re-key a subject from inside a single assessment.

Privacy subject detail panel (screenshot placeholder — capture: the Details tab showing the Identity block and the Records of processing block, with the sidebar status picker and assessment/incident roll-up cards)

The Identity Block

The Details tab opens with two per-section editable blocks, each with its own pencil. The first is Identity, which records:

  • Name
  • Type — Program, System, Initiative, Data-sharing arrangement, Process change, or Technology adoption
  • Status — the subject's own status
  • Business owner
  • Lead program manager
  • Description

Free-text fields support optional per-language translations. The sidebar carries a quick status picker and roll-up cards summarizing the subject's assessments and incidents.

Records of Processing (ROPA)

The second block on the Details tab is the Records of processing (ROPA) record for GDPR Article 30. It captures:

  • Processing purpose — why the personal data is processed.
  • Lawful basis — the legal basis relied on for the processing.
  • Categories of personal data — the types of personal data involved.
  • Categories of data subjects — the groups of people the data concerns.
  • Recipient categories — who the data is disclosed to.
  • Retention period — how long the data is kept.
  • Security measures — the safeguards protecting the data.
  • Hosting location — where the data is hosted.
  • International transfer — a flag that, when set, reveals a transfer safeguards field describing the protections for cross-border transfers.

The categories of personal data, categories of data subjects, and recipient categories lists are configurable taxonomies drawn from Settings. Free-text fields support optional per-language translations.

Assessment History

The Assessment history tab lists every assessment ever run on this subject. Use New assessment to launch a re-assessment on the same subject — the subject is pre-filled and locked on the create dialog. See Creating Assessments.

Incident History

The Incident history tab lists the incidents linked to this subject. Use Create incident (needs the incident-report permission) to open the report dialog with this subject already linked to the new incident. See Creating Incidents.

Subject assessment and incident history (screenshot placeholder — capture: the Assessment history tab listing prior assessments with the New assessment button, and the Incident history tab with the Create incident button)