Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

Creating attributes that fit your industry

Compliance officers and DPOs use the Personal Data Categories screen to build and maintain the library of data classifications — such as "Health Data" or "Financial Information" — that underpin every processing activity in their Record of Processing Activities (RoPA).

The Personal Data Categories screen is where your organisation's data-classification vocabulary lives. Before you can accurately describe a processing activity in your RoPA, you need a solid library of named categories — each one tagged with the regulations that apply to it. Think of this screen as laying the foundation: everything else in DPMS that asks "what type of personal data is involved?" draws its answers from the categories you define here. DPOs, compliance officers, and privacy managers will use it regularly; IT administrators may also visit when bulk-importing categories after a platform migration.

How to open it

Navigate to Compliance Settings in the left-hand sidebar, then look for the Personal Data Categories entry in the sub-menu. You can also reach any category's detail view directly by clicking a linked category name while working inside a RoPA processing activity.

You need at least read permission on the Categories element type to view the list and open detail records. Creating, editing, and deleting categories each require the corresponding create/update/delete permissions. Importing categories from a file requires the dedicated tag-import permission. If your role does not include the right permission, the menu item may simply not appear.

What you see

The screen has two modes: the index view (the list of all your categories) and the detail view (a single category record).

On the index, a table fills the main content area. Each row shows a category's Name and its associated Regulations — for example, "Health Data / GDPR, nFADP". In the top-right corner above the table sits the Create animated menu button. Hover over any row and a three-dot icon appears at the far right — that is the row-level actions menu.

On the detail view, the screen splits into two areas. On the far left is the collapsible menu tree — a narrow sidebar showing the available tabs for this record. For categories there is currently just one tab: General. The rest of the screen is the content area. At the very top of the content area runs the breadcrumb bar, which shows your navigation path and gives you a one-click way back to the index. In the top-right corner of the content area you will find the Activity Log clock button (if your role includes the read permission for categories). Below the breadcrumb, the General tab displays the category's name and its linked regulations in a clean read-only card, with an Edit button to open the edit form.

Working with this screen

Creating a new personal data category

When your organisation needs to recognise a new type of personal data — say, "Genetic Data" ahead of a new product launch — start here.

  • From the index, click the Create button in the top-right corner. A small dropdown appears showing a Create option (and, if you hold the import permission, an Import option as well). Click Create.
  • The creation form opens. In the Name field, type the category label exactly as you want it to appear across DPMS — for example, "Genetic Data". This name will show up in the RoPA data-mapping forms wherever staff select the types of personal data being processed, so choose something clear and unambiguous.
  • In the Regulations multi-select dropdown, choose every legal framework that applies to this type of data. Your organisation's applicable laws are pre-loaded here (configured in IT Settings). You can select multiple items — for example, both GDPR and the Swiss nFADP. If the dropdown shows only "No Regulation", see the tips section below.
  • Click Save. DPMS creates the new category and takes you straight to its detail view, where you can confirm the name and regulations are correct in the breadcrumb and the General tab card.

From this moment, "Genetic Data" is available as a selectable classification throughout the RoPA module and in compliance reports.

Reviewing and updating an existing category

Regulations evolve, and your categories need to keep up. Quarterly reviews often reveal that a category is missing a recently enacted law.

  • Find the category on the index — either by scrolling or using the search and filter tools above the table. The Regulations column gives you a quick check of what is currently attached.
  • Click the row. The detail view opens, showing the General tab with the current name and regulations.
  • Click Edit on the General card. The edit form opens pre-filled with the existing values.
  • Make your changes — update the name, add or remove regulations — then click Save. DPMS updates the record and returns you to the detail view. The Regulations column on the index will reflect your change the next time you load the list.
Heads up: If you arrived at this category from inside an Assessment or RoPA review portal (rather than directly from the sidebar), a successful save will send you back to that portal rather than to the categories detail view. This is intentional — DPMS remembers where you came from and returns you there automatically.

Auditing who changed a category

After a data breach or during a regulatory audit, you may need to prove when a category's definition was last changed and by whom.

  • Open the category's detail view from the index.
  • Click the clock icon in the top-right corner of the content area. This opens the Activity Log drawer, which slides in from the right.
  • The drawer lists every recorded change to this category in reverse chronological order — showing the date, the user who made the change, and exactly what was modified (name, regulations, or both).
  • When you are done reviewing, close the drawer by clicking outside it or using its close control.

The Activity Log button is only visible if your role includes read permission for the Categories element type. If you cannot see the clock icon but believe you should be able to, ask your IT administrator to check your role's permissions.

Deleting an obsolete category

If a category was created in error or is no longer relevant, you can remove it directly from the index without opening the detail view.

  • On the index, hover over the row for the category you want to remove. The three-dot icon appears at the far right of the row.
  • Click the three-dot icon and select Delete from the popover menu.
  • Confirm the deletion in the dialog that appears. DPMS sends a delete request to the backend and removes the row from the table.
Heads up: The delete action does not warn you client-side whether the category is already in use in RoPA activities or data-mapping records. If it is referenced elsewhere, the server may block the deletion or leave orphaned references. Always verify a category is unused before deleting it — you can search for it in the RoPA module if you are unsure.

Field reference

Name — The human-readable label for the data category (for example, "Biometric Data" or "Contact Details"). This is the value that appears in the index table, in the breadcrumb on the detail view, and in every RoPA or data-mapping form where a category is selected. Required. The form will refuse to save if this field is blank or contains only whitespace.

Regulations — One or more applicable laws or regulatory frameworks linked to this category (for example, GDPR, CCPA, nFADP). Selected from a pre-configured multi-select list drawn from your organisation's IT Settings. Not required — a category can exist without any regulations attached, though in practice an unregulated category is of limited compliance value. The selected values appear in the Regulations column of the index table and are referenced in compliance reports.

How this connects to the rest of DPMS

The categories you build here are not an isolated configuration — they are actively consumed by two of the most important modules in the platform.

RoPA and data mapping: When a compliance officer fills in a processing activity and reaches the "personal data" section, they select from the categories you have defined on this screen. A sparse or inaccurate categories library means the RoPA cannot be completed correctly. Keeping categories well-maintained and regulation-tagged is therefore a prerequisite for a reliable RoPA.

Compliance reports: Any report that enumerates the types of personal data your organisation processes draws directly from the categories collection. Adding a new category here makes it available for reporting immediately; deleting one removes it from future reports (though historical records that referenced it may retain the name).

After setting up your categories, the natural next step is to review your RoPA processing activities and ensure each one is mapped to the correct category. You may also want to check that your applicable laws are fully configured in IT Settings, so that the Regulations dropdown in the category form is populated correctly.

Tips & common pitfalls

Tip: Configure your organisation's applicable laws in IT Settings before creating categories. If you open the Regulations dropdown and see only "No Regulation", that is a signal that no laws have been set up yet — the category will save, but it will have no regulatory anchor.
Heads up: Unlike most DPMS records (risks, vendors, TOMs), a category detail view has no status badge, no priority selector, and no responsible-person indicator at the top of the page. If you are looking for those fields and cannot find them, they are simply not part of the category data model — only Name and Regulations exist at the record level.
  • The menu tree toggle is shared across all detail views. The open/closed state of the left-hand tab sidebar is stored in your browser and applies to every detail screen in DPMS — not just categories. If the sidebar seems to have disappeared, click the small circle icon on the far left of the content area to bring it back.
  • Saving from an Assessment portal returns you to the assessment, not the categories list. If you create or edit a category while working inside a RoPA or assessment review, DPMS automatically routes you back to the assessment when you save. This is by design and saves you from losing your place in a long review workflow.
  • The Activity Log only appeared for categories from version NG-6654 onwards. Roles created before that update may not have the Categories read permission set and will therefore not see the clock icon. If auditors on your team are missing the button, ask your IT administrator to review the affected roles.
  • Deleting a linked category can have downstream effects. Categories that are already attached to processing activities in the RoPA may be blocked from deletion by the server, or the deletion may succeed but leave references behind. Check usage before you delete.


Was this article helpful?

English
Powered by Product Fruits