Like we discussed in the previous articles, the core components of a TerraTrue launch are:
- The Data Spec
- The Privacy Worksheet
We also covered how the Data Spec contains taxonomy questions. These collect structured data that powers your reviews and reporting. While taxonomy questions can’t be removed from a Data Spec, you can add additional questions to ensure you collect all the context needed for a review.
The Data Spec is generally filled out by the business user. For example, if a Product Manager wants to build a new feature that’s going to use data in a new way, they would create a launch in TerraTrue and fill in the Data Spec. This gives reviewers the information they need to determine if there’s any potential risks or concerns that should be addressed.
In this scenario, the Product Manager would:
- Create a TerraTrue launch
- Fill in a Data Spec
And once the Data Spec is complete, reviewers would be notified that the launch is ready to review.
💡 This step of creating a launch → completing a Data Spec is your intake process.
Let’s say you start out encouraging your business users to create a launch any time they’re working on something that touches personal data.
But what if your business users aren’t always sure whether or not their launch requires a full review?
What you can do is create a set of screening questions that appear after the launch is created, but before the Data Spec appears. These questions can be as simple as, "does this launch use personal data?" Or, it could include 20+ questions to help you determine the level of risk that may be present in this initiative.
Screening questions are built using a Custom Workflow, you simply configure the custom workflow to appear at launch creation.
⭐ Here’s why this is so helpful:
Custom workflows allow you to build triggers that can fire based on certain responses. There are triggers unique to launch creation custom workflows that can seriously help you streamline your intake process:
- Mark a Data Spec as not required - let’s say your business user is building a new feature, and wants to make sure they’re doing their due diligence. They answer a screening question about whether or not this feature is using previously reviewed data types. If it is, and so there's no need to review these data types again, you build a trigger that automatically marks the data spec as not required based on this response.
- Mark a review as not needed - similarly, you can set up a trigger that marks a review team as not needed. For example, if a new product is not collecting any new types of data, but it does require a code change that the security team considers potentially risky, you could mark the privacy team as 'Not Needed' while prompting the security team to follow up with a review.
Setting up a screener with triggers like this is a powerful way to triage your launches, and only spend time reviewing what’s most important.
This becomes even more powerful when you combine a screener with our Jira integration. You can have your business users automatically create a launch from Jira, pre-populate screening questions directly from Jira, and if no data spec or review is needed then your business user never has to leave Jira while still giving you the visibility in TerraTrue of what they're building. We'll cover this in more detail in the next article.
In summary, your intake process in TerraTrue is a combination of:
- Creating a launch, and filling in launch details such as title, description, links, etc.
- Optional: building a screening workflow that helps you determine potential risk, and whether further review is needed
- The Data Spec, which collects structured data to power your reporting and allows you to add your own custom questions as well.
Once intake is complete, the next step is for reviewers to step in. We’ll cover that in the next article.