Configure the metamodel and register assets for privacy assessments (preview)

In preparation for creating privacy assessments, you need to register logical business assets (defined in the glossary) like a project in your data map and establish some basic relationships among your data in the Microsoft Purview metamodel. You can define your organization's metamodel in the Data Map using existing logical business asset types or creating your own and defining specific relationships between all asset types.

A privacy assessment is performed in relation to an asset in Microsoft Purview Unified Catalog, which most commonly represents a use of data as compared to a distinct data asset like a database. Once you register a project, you can assign a privacy assessment to it and define the physical data assets that are related to that project. These create a record in your data map that indicates that specific data assets are being used for a particular use case (e.g. your project).

This page explains how to configure data relationships in the metamodel and how to register assets so that you can assign them to privacy assessments.

Tip

Visit Terminology and concepts for descriptions of asset types commonly used for privacy assessments.

What is the metamodel?

The metamodel is a feature in the Microsoft Purview Data Map that allows for logical business concepts to be expressed and registered in Unified Catalog as business assets. These business assets can be related to actual data assets to provide context to your data.

The metamodel provides asset types that allow you to describe other important parts of your business. Predefined asset types can include projects, systems, products, organizations, and departments. Your organization can create new asset types that represent concepts that are important to you. Each asset type in the metamodel can have defined relationships with other asset types. For example:

  • An Organization asset has a department asset.
  • A Department asset owns a business process.
  • A System or Project business asset uses a database or has a data set, which creates the relationship between the business asset and the physical data asset types.

Note

Visit Microsoft Purview metamodel for more detailed information and examples to help you understand how the metamodel works.

Why do you need to configure the metamodel?

When you embark on a privacy review, you’re often evaluating how you're using personal data in a business process or project and determining whether it’s an appropriate use of that data.

The individuals or teams within your organization who will most likely configure the metamodel are those with responsibilities of curating what data a project is using, such as business or technical stakeholders of a project.

When you represent data use with a logical business asset and relate physical data to that business asset, you provide the context of the data use and the actual data that's being evaluated with a privacy assessment.

Register an asset

Registering an asset is necessary in order to assign it to a privacy assessment. Follow the steps below to register an asset:

  1. In privacy assessments, go to the Assessment management page.

  2. On the Assets tab, select Register asset.

  3. At Asset type, the default asset type listed is Project. Leave it, or select a different type from the dropdown menu.

  4. Enter a Name and an optional Description.

  5. Select the appropriate Domain and Collection from the dropdown menu.

  6. Go to Contacts on the left navigation and add yourself as an owner. This ensures you receive notifications about assessment activity, such as assessment assignment, approval, or decline.

  7. When done, select Create.

You can also create logical business assets from the Microsoft Purview Data Map and Unified Catalog.

You arrive at the details page for your newly created asset. Select Privacy from the left navigation in the asset, which is where any assessments related to that asset will be listed once an assessment has been assigned to it.

Microsoft Priva legal disclaimer