Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

Asset Register

The Asset Register is where Data Protection Officers, IT administrators, compliance officers, and risk managers build and maintain the organisation's complete inventory of information assets — from SaaS applications and databases to physical storage devices. Getting your assets catalogued here is the essential first step before you can create ROPAs, run risk assessments, or link technical and organisational measures in DPMS.

The Asset Register sits at the heart of your DPMS setup. Every other compliance workflow — processing activities (ROPAs), risk scenarios, technical and organisational measures (TOMs), assessments, vendor relationships, and retention tasks — needs to be anchored to a concrete asset before it can be properly scoped and governed. Think of this screen as the foundation layer: you build your entire data-protection programme on top of it.

The register consists of two closely linked views: the index page, where you search, filter, and manage your full list of assets, and the detail view, where you dive into a specific asset and manage everything linked to it across multiple tabs. This article covers both.

How to open it

In the main left-hand sidebar, expand the Risk Management section and click Asset Register. The index page loads immediately showing all assets for your organisation.

You need at least read access to assets to see the menu item. Create and edit operations require write access. The Import button has its own additional permission — if you do not see it, ask your DPMS administrator to grant you the import permission.

If the menu item is not visible at all, your account does not yet have read access to assets. Contact your administrator.

What you see

When the index page loads, the screen is organised into three horizontal layers. At the very top is the page header — "Asset Register" on the left, and a Create button (plus an Import button if you have the right permission) on the right. Just below that is a row of status-filter tabs: All, Active, Draft, Inactive, and Review. These five tabs correspond to the lifecycle states an asset can be in, and clicking any one of them instantly narrows the list to only assets in that state.

Below the tabs is the search and filter bar, which stretches the full width of the page. You can type directly into it to search by name, or open the structured filter builder to combine multiple conditions — for example, "Responsible Person equals Maria Schmidt AND Type equals Cloud Service." The main body of the page is a data table where each row is one asset. The columns show the asset name, its type tags, responsible person(s), a colour-coded status badge, risk score (if a risk standard has been linked), group membership, and the date it was last updated.

In the upper-right corner, just above the table, there is an Asset view / Groups view toggle. Switching to Groups view reorganises the list to show asset groups instead of individual assets — useful when a risk manager wants to see the aggregated risk picture across a collection of related assets.

The detail view uses a different layout. On the left side is a collapsible tab menu listing all available sections (General, Risk, Assessments, External Recipients, and more). The main content area on the right shows the currently selected tab. Across the very top runs a breadcrumb strip — for example, Assets › Workday HRIS › General — with small chevron arrows to navigate to the previous or next asset without returning to the list.

Working with this screen

Registering a new asset for the first time

The most common starting point is when your organisation adopts a new system — say, a new HR SaaS tool — and you need to register it before you can link it to a ROPA or a risk assessment.

  • From the index page, click Create and then select Create Asset from the small dropdown that appears.
  • The creation form opens. Start by assigning a Responsible Person — the team member who is accountable for this asset day-to-day. Use the person-search field to find them by name.
  • Set the Status. If the tool is already live in your organisation, choose Active. If you are still setting it up, Draft is the right choice and you can activate it later.
  • Enter a clear Name — for example, "Workday HRIS" or "HR Database (on-premises)." This name appears in breadcrumbs across every linked ROPA, assessment, and report, so make it unambiguous.
  • Pick one or more Type tags (e.g. "Cloud Service," "Software Application"). These drive the filtering and reporting options elsewhere in DPMS.
  • Write a Description that explains what personal data the asset processes and why it exists.
  • Fill in the Location — for example, "AWS EU-West-1" or "Server room, Building A." This matters for cross-border transfer analysis.
  • Choose the Country from the dropdown.
  • If your IT asset management system has a reference number for this tool, paste it into the ID field. If there is a vendor homepage or internal wiki page, paste the link into the URL field.
  • In the Risk Owner section, assign the person who is accountable for managing risk — often the CISO or a senior manager. If that person acts on behalf of someone else (for example, a manager acting on behalf of a department head), use the On behalf of field below it. Note: the "on behalf of" person cannot be the same individual as the Risk Owner — the form will automatically clear the field if you accidentally select the same person twice.
  • Click Save. DPMS creates the asset and takes you straight to its detail view, where you can continue configuring it.

Reviewing and activating draft assets before an audit

Before a GDPR audit, a DPO typically needs to confirm that all key assets are complete, up to date, and in Active status. The status filter tabs and the prev/next navigation make this much faster than opening assets one by one from a long list.

  • On the index page, click the Draft tab. The table now shows only assets that have not yet been activated.
  • Click any row to open that asset's detail view.
  • Glance at the Responsible Person shown in the detail header at the top right. If it shows a former employee, click the person picker right there in the header — no need to go into the full edit form — and reassign it to the current owner. The change saves immediately.
  • Review the General tab. If the description is outdated, click the description text directly. It will turn into an in-place rich-text editor. Make your corrections and click the small save icon that appears. This saves that single field right away.
  • In the status dropdown in the detail header, change Draft to Active. Again, this saves immediately — no extra Save button needed.
  • Use the ◂ ▸ chevron arrows in the breadcrumb strip to step directly to the next Draft asset in the list, and repeat the process.
Tip: The prev/next chevrons respect whatever filter is currently active on the index page. If you filtered to Draft assets, the arrows only step through Draft assets — meaning you can work through every Draft asset in sequence without ever going back to the list.

Linking a risk standard and setting up risk management

A freshly created asset has no risk configuration yet. Until you link at least one risk standard, the Risk tab will appear empty and the threshold, risk scenarios, and treatment plan sections will not be available. Here is how to get them set up.

  • Open the asset's detail view and click Risk in the left-side tab menu.
  • In the Risk overview card, click the Edit button. This takes you to the edit form's Standards tab.
  • In the Standards multi-select field, choose the risk model that applies to this asset — for example, "ISO 27001 Risk Model." If this asset belongs to a collection of related assets, also assign it to an Asset Group.
  • If this particular asset needs its own separate risk calculation rather than inheriting the group's settings, switch on the Asset-Specific Risk Management toggle.
  • Click Save and return to the detail view. The Risk tab now shows a sub-tab for each standard you linked. Click the standard's sub-tab name.
  • The Threshold section appears at the top. Click Edit beside the threshold heading and drag the slider to set the mitigation threshold — the risk score above which a scenario is considered to require a treatment plan. Save your change.
  • From here you can add risk scenarios, link TOMs, and create a treatment plan, all within the same sub-tab.

Investigating who changed an asset and when

If you notice that an asset's status has changed unexpectedly — for example, a critical system has moved from Active to Inactive — the Activity Log gives you a complete, timestamped record of every field-level change ever made to that asset.

  • Open the asset's detail view.
  • Look for the clock icon (↺) in the upper-right corner of the content area. Click it.
  • The Activity Log drawer slides in from the right side of the screen.
  • Scroll through the list of change events. Each entry shows the exact date and time, the name of the user who made the change, which field was changed, and the before and after values — for example, "status: active → inactive."
  • Click anywhere outside the drawer, or the close button, to dismiss it and continue working.
Heads up: The Activity Log icon is only visible if you have read access to the asset and the asset belongs to your own organisation. If you are viewing an asset that has been shared into your organisation from an external portal, the clock icon will not appear — this is an intentional access control, not a software issue.

Field reference

The following fields appear on the asset creation and edit form. Fields marked as required must be filled before you can save.

  • Name — The display name of the asset. Appears in breadcrumbs and all linked objects. Required. Use something specific enough to be unambiguous across your entire asset inventory.
  • Type — One or more category tags (e.g. "Software Application," "Database," "Physical Device"). Not required, but strongly recommended — these tags drive filtering in the asset list and in linked tables on ROPAs. Values come from the Asset Type taxonomy in Compliance Settings.
  • Responsible Person(s) — The DPMS user(s) accountable for the ongoing management of this asset. Can be changed from the detail header without going into the edit form.
  • Status — The lifecycle state: Draft, Active, Inactive, or Review (plus any custom statuses your administrator has configured). Required. Defaults to your organisation's configured default (usually Draft).
  • Description — Free-text explanation of what the asset is and what personal data it processes. Supports rich text. Can be edited inline on the detail view.
  • Location — Physical or logical location of the asset (e.g. "AWS Frankfurt region," "Server room B"). Relevant for transfer-impact assessments.
  • Country — The country where the asset primarily resides. Used in cross-border transfer analysis.
  • ID — Your organisation's own reference number for this asset (e.g. from an IT asset management system). Optional but useful for traceability.
  • URL — A hyperlink to the vendor's website, an internal wiki page, or a system portal. Appears as a clickable, copyable link on the detail view.
  • Risk Owner — The person accountable specifically for risk governance on this asset. May be different from the Responsible Person.
  • On behalf of — If the Risk Owner acts on behalf of another person (e.g. a deputy), that person goes here. Cannot be the same individual as the Risk Owner — the form clears this field automatically if they match.

How this connects to the rest of DPMS

The Asset Register is the central node of your DPMS data model. Once an asset exists, every other module can reference it:

  • ROPAs (Processing Activities): When you add assets to a ROPA, you are identifying which systems support that processing activity. Without registered assets, you cannot properly scope your ROPA.
  • Risk Scenarios and Risk Dashboard: Risk scenarios are calculated against assets. The Risk Dashboard will be empty until assets are linked to risk standards.
  • TOMs (Technical and Organisational Measures): TOMs are linked to assets to show which controls protect which systems.
  • Assessments and DPIAs: Assets linked to ROPAs determine which processing activities are subject to DPIA-level risk assessments.
  • Vendors (External Recipients): The External Recipients tab on an asset shows which vendors process data on behalf of this system, linking directly to the vendor detail views.
  • Data Deletion Tasks: The Data Deletion Tasks tab links retention schedules and deletion tasks directly to the asset.

After setting up your assets, the natural next steps are to link them to your existing ROPAs, assign risk standards and configure thresholds in the Risk tab, and check that every asset has a responsible person and a meaningful description.

Tips & common pitfalls

Heads up: If the Risk tab looks empty when you first open it, this is expected — you need to go into the edit form's Standards tab and link at least one risk standard before the threshold, risk scenarios, and treatment plan sections become available. Many users assume something is broken; it simply hasn't been configured yet.
Tip: You can change an asset's status, responsible person, and priority directly from the detail header without opening the full edit form. These three fields save immediately when you change them, so there is no need to click a separate Save button.
  • The "On behalf of" field resets silently. If you set the same person as both Risk Owner and On behalf of, the form automatically clears the On behalf of field. The same happens if you later change the Risk Owner to the person you had set in On behalf of. Watch for this if your risk governance structure is complex.
  • Prev/next navigation only shows assets matching your active filters. If you filtered by "Status = Draft" and then step through assets using the chevrons, you will only see Draft assets. If another user changes an asset's status while you are navigating, it may silently drop out of your sequence.
  • Asset-Specific Risk Management is off by default for assets in groups. If an asset belongs to a group, it inherits the group's risk configuration unless you explicitly switch on the Asset-Specific Risk Management toggle in the edit form. Without this, changes you make to the asset's individual risk scenarios will not affect its own risk score.
  • Inline description edits are saved immediately and independently. When you click the description text on the General tab and edit it in place, that change is committed to the database the moment you click the save icon — even if you are about to cancel another form on the same page. There is no "undo" from the UI; use the Activity Log to track what was changed.
  • The Import button only accepts .json files. If you are trying to import asset data from a spreadsheet, you must first convert it to the DPMS JSON export format. A good starting point is to export an existing asset from another DPMS instance to get the correct schema, then adapt your data to match it.


Was this article helpful?

English
Powered by Product Fruits