Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Categories overview
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

Categories overview

Explore platform-wide categories used to classify elements and attributes.

Categories Overview

The Categories screen is your organisation's central catalogue of personal data classification labels. Compliance officers, Data Protection Officers (DPOs), and compliance coordinators come here to define, review, and maintain the types of personal data — such as "Health Data," "Financial Data," or "Contact Information" — that are referenced throughout the entire compliance programme. Without a well-maintained categories list, colleagues filling in processing activity records have no structured labels to choose from, which undermines the consistency and auditability of your ROPA.

How to open it

In the main left-hand navigation, open the ROPA section. The Categories entry appears as a sub-item within the ROPA navigation group. Click it to go directly to the list — no additional tabs or sub-menus are required. The screen loads immediately at /categories.

Heads up: You need at least read permission on categories to see this screen. If the menu item is not visible, your administrator has not yet granted you access. If you navigate directly to the URL without sufficient permissions, DPMS will show an access-denied page. Creating or editing categories requires the corresponding write permission.

Screenshot

What you see

When the screen loads, the familiar DPMS layout wraps a central content area with two key areas. At the top right of the content area sits a prominent Create button — this is your entry point for adding new categories. Below it, the main body is a scrollable data table that lists every personal data category your organisation has defined so far.

The table has two columns. The Name column shows the human-readable label for each category (for example, "Health Data"). The Regulations column shows the applicable legal frameworks — such as GDPR or CCPA — that have been mapped to each category. On the right side of every row, a set of small action icons lets you edit or delete that category directly from the list without having to open its full detail page.

If your organisation has not yet defined any categories, the table body will be empty and only the column headers will appear. This is your prompt to get started.

Working with this screen

Adding a new personal data category

The most common reason you come here is to add a category that does not yet exist — for example, before documenting a new processing activity involving biometric data.

  • Click the Create button in the top right. A small drop-down menu appears with the available creation options. Select the option to create a new category manually.
  • DPMS navigates you to the category creation form. In the Name field, type a clear, descriptive label such as "Biometric Data." Good names are precise and recognisable to anyone on the compliance team.
  • Open the Regulations multi-select dropdown and choose all applicable legal frameworks — for instance, "GDPR" and any other laws your organisation has configured. If no regulations have been set up yet in your compliance settings, only a "No Regulation" fallback option will appear; in that case, configure your applicable laws first under the relevant settings area and then return here.
  • Click Save. DPMS creates the new category and navigates you to its detail page. From this moment on, "Biometric Data" will appear as an option whenever a colleague selects categories in a ROPA entry, vendor record, or assessment data mapping.
Tip: The Regulations field is not required — you can save a category with no regulation assigned. However, unmapped categories will not appear in regulation-specific compliance reports, so always map them as part of the creation step.

Updating an existing category's regulation mapping

During audit preparation, you may discover categories that were created without a regulation mapping, or that need to be linked to an additional framework.

  • On the categories list, find the row with an empty or incomplete Regulations column. Click anywhere on that row to open the category's detail view.
  • From the detail view, use the edit function to open the edit form. Alternatively, you can click the edit icon in the trailing action controls on the right side of the row in the list itself — this takes you directly to the edit form without opening the detail view first.
  • In the Regulations multi-select, add or adjust the applicable laws — for example, adding "GDPR" and "Swiss FADP."
  • Click Save. DPMS updates the record immediately. The corrected mapping is now reflected in the list view and will flow through to every ROPA entry and report that references this category.

Checking for duplicate or overlapping categories

Before a quarterly review cycle, it is good practice to scan the list for near-duplicate category names — for example, "Contact Info," "Contact Details," and "Contact Data" all meaning the same thing.

  • Navigate to the categories list. Use the search and filter bar at the top of the table to type a keyword such as "contact." The list narrows to show only matching entries.
  • Review the results. If you find a duplicate, decide which name is the canonical version. Use the trailing action controls on the redundant row to either delete it or click the edit icon and rename it to align with the preferred label.
  • Keeping your catalogue clean here has a direct effect on reporting quality: if colleagues select different labels for the same type of data, your ROPA entries become inconsistent and harder to audit.
Heads up: Before deleting a category, check whether it is currently referenced by any ROPA entry, vendor record, or assessment. The list screen does not display an inline warning about downstream references. Deleting a category that is in active use may leave those records with a missing or broken classification.

Reviewing which categories are mapped to a specific regulation

New team members — or anyone preparing a regulation-specific compliance report — often need to know at a glance which categories are already linked to a particular framework such as GDPR.

  • Navigate to the categories list and use the filter or search bar to filter by the regulation name, for example "GDPR."
  • The table narrows to show only categories that include GDPR in their Regulations column. Review the list and note which types of personal data are covered.
  • Use this information when filling in ROPA entries, or pass the list to whoever is preparing the regulatory report. Any categories that should be GDPR-relevant but show as blank in the Regulations column can be corrected using the edit controls.

Field reference

The category creation and edit forms contain the following fields:

  • Name — The label for this type of personal data (for example, "Health Data" or "Identification Data"). This is required. A blank or whitespace-only name is not accepted when saving an existing category — DPMS will show an error and block the save. Choose a name that is clear and agreed upon within your compliance team.
  • Regulations — A multi-select list of the applicable data protection laws and frameworks (such as GDPR, CCPA, or Swiss FADP) that govern this type of data. This field is not required, but leaving it blank means the category will not be included in regulation-specific gap analyses or reports. The options available here come from the applicable laws your organisation has configured in the compliance settings area. If only "No Regulation" appears, set up your applicable laws in settings first. Selecting "No Regulation" explicitly is a valid choice when a category genuinely falls outside any configured regulatory framework — this is different from simply leaving the field empty.

How this connects to the rest of DPMS

The categories you define here act as shared vocabulary across every module in DPMS. ROPA entries are the most direct consumer: when a colleague creates or edits a processing activity, they select from this list to describe what type of personal data is involved. A missing or vaguely named category here means a vaguely documented ROPA entry downstream.

Vendor records and assessment data mapping workflows also draw from this same list, so a gap here affects multiple modules simultaneously. If a category does not exist, there is no structured way to flag that a vendor or assessment involves that type of data.

Regulation-based reporting and compliance gap analyses across DPMS rely on the regulation mappings stored on each category. Unmapped categories will simply not appear in reports filtered by a specific law, which can make your organisation appear less complete in its compliance documentation than it actually is.

After maintaining this list, the natural next step is to open the ROPA module and verify that your processing activity records are using the correct, up-to-date category labels. If you have just added categories for a new regulation, consider running a filtered view of your ROPA to identify entries that should now reference those new labels.

Tips & common pitfalls

Tip: Make it a habit to map regulations at the time you create a category, not later. The list view makes blank Regulations cells immediately visible, but correcting them in bulk after many categories have accumulated takes significantly more time.
Heads up: Deleting a category from this screen does not automatically remove it from ROPA entries, vendor records, or assessments that already reference it. Always check downstream usage before deleting. There is no inline warning on the list screen about how many records reference a given category.
  • Empty Regulations field is silent. DPMS will save a category with no regulation assigned without any warning. This is intentional — some categories may genuinely have no applicable regulation — but it is easy to accidentally leave this blank and only notice months later when a report is incomplete.
  • Applicable law options depend on your organisation's settings. If the Regulations dropdown only shows "No Regulation," it means your organisation has not yet configured its applicable laws under the compliance settings area. Configure those first; otherwise, any categories you create will have no law options to select.
  • "No Regulation" is not the same as leaving the field blank. Selecting "No Regulation" is an explicit statement that no framework applies. Leaving the field blank means the question has not been addressed. Be deliberate about which you choose.
  • The back button after saving may return you to an unexpected location. If you arrive at the category creation form from inside an assessment review rather than directly from the ROPA or categories list, the back link after saving will return you to that assessment — not to the categories list. This is intentional context-aware navigation, but it can be surprising if you opened the creation form in an unusual sequence.
  • Category names must not be blank when editing. If you open an existing category and try to save it with an empty name, DPMS will block the save and show a validation error. You cannot "clear" a category name this way.


Was this article helpful?

English
Powered by Product Fruits