June 09, 2021
9 min read

GDPR data mapping and RoPA: what’s the difference?

Let’s understand the differences between the two and learn when to do which.

Data mapping and record of processing activities (RoPA) are two concepts that are often misunderstood in data privacy. Sometimes it can be unclear whether you need to create a data map or record the processing activities, or whether the two are identical.

Data mapping: what is it?

In short, data mapping is the process of determining how data is used by an organization, when it is used and why. Data mapping is an integral step for GDPR compliance and can be defined as the answers to the following questions:

  • Why do you process data?
  • What data do you process?
  • Where do you process data?

So a data map is a document that shows you the ins and outs of all of your data practices: why you have what data and where you process it. Let’s take a deeper look at the answers to the questions above.

Why do you process data?

Your organization collects data from your customers in the form of names, addresses, etc. in order to interact with them. Should you save this somewhere, you are processing this personal data. This means that you likely process data to conduct your operations with clients and even storing employee data on file is processing. So data processing is critical to every business.

What data do you process?

After successfully defining why you use data, you need to link the personal data you collect to what you do with it. Here it is useful to bear in mind what data you will use to attain your set goals. Here you need to link why you collect data with details like location, IP address, identification number, etc.

Where do you process data?

As we already saw above, data is processed for automation, integration, human resources, sales, marketing, etc. in your business. The other thing is that customer personal data is probably processed through cloud computing and software-as-a-service (SaaS) solutions. This means you need to know where this data is held on your behalf. If you are using in-house servers, then this discovery process is simpler. Otherwise you need to know where data is transported when you are using cloud storage or SaaS. A point of note here is that the most popular cloud and SaaS services are in the US.

As we can see from the explainers above, a data map is a document which gives a general overview of what happens with data in your organization: from how you receive it and why to how you deal with it.

Data mapping and GDPR compliance

The GDPR requires businesses to ensure that personal data is handled lawfully, fairly, and securely. To ensure data protection, it is essential to monitor the data's path from beginning to end. It is impossible to incorporate any protection without a clear understanding of the data lifecycle. As a result, data mapping becomes a critical step toward GDPR compliance, although the exercise is not mandated by the legislation itself.

The GDPR states that a data map is a record that companies can quickly retrieve and show during a GDPR audit. Often organizations include data visualization into their data map to see how their data flows across their systems. An organization’s data map is also likely to include the legal bases for processing personal data: the legal which allow for your personal data processing activities.

When auditing the personal data you process, data maps are generally used to assess the level of third-party access to organizational data. We saw this above when we were trying to figure out where data is. For different purposes, all companies are required to keep a list of third-parties with whom they should share their business data. To determine the danger of a specific procedure, your organization must first understand its data flows, determining how data moves across different systems and where it ends up.

Benefits of data mapping

So if a data map isn’t required by law, why create one? Well, the biggest advantage of holding an up-to-date data map is that you have a go-to document that shows the what, where, and why of the personal data your organization holds. Should you need to provide a report about it, you already have one ready.

Free data mapping template

Save time and effort by downloading Soveren's free GDPR data mapping template.
Download now

Let's take a look at some of the concrete benefits.

Increased efficiency of business operations

Data mapping makes clear how you collect, use, and store data, enabling you to clearly categorize it. By holding an up-to-date data map, you are always audit ready if the regulator comes knocking. Moreover, consider your data map to be an index of a company's documents and information systems. As a result, a data map can be used as a quick guide to figure out what data is stored where and why. As such, a data map helps streamline the privacy operations for your business.

Legal efficiency

From a legal standpoint, data mapping helps not only when the authorities are at your door, but also helps your in-house legal team. By having a data map ready, you can be faster and more precise with requests from legal, helping them to do their work more efficiently. Having a data map right at hand means you can streamline data requests, ensuring that the data subject requests can be responded to promptly. When you know exactly which data you have about any given data subject, it's easier to identify data that falls under the data protection law requirements as "relating to an identified or identifiable data subject" and data which isn’t subject to additional protection.

Record of processing аctivities (RoPA)

Now that we have an overview as to what is data mapping, we can take a look at what a RoPA is. As you will see, data maps and records of processing activities have a lot of overlap. But the main point of note is that RoPA is mandatory and a data map is advised. Let’s dig a little deeper.

ROPA is a record that contains:

  • The purpose for processing any personal data
  • The parties to whom any personal data is or may be disclosed
  • The retention period for personal data
  • Details about the safeguards in place for the data

According to the GDPR, you don’t need to report to the authorities how you are processing customer data. But you need to keep an internal report of the processing activities which must be provided to the authorities upon request. Article 30 of the GDPR terms this internal report as a record of processing activities .

“Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.”
Article 30 (1) GDPR

RoPA and GDPR compliance

GDPR mandates the use of RoPA for every organization which has over 250 employees or if the organization’s activities are data intensive. Data intensive generally refers to:

  • How often an organization processes data (twice or more annually)
  • The volume of the data being processed

In addition, there are another two conditions to the data processing that also necessitate a RoPA:

  • Whether processing puts the freedoms of the people at risk
  • Whether the data especially sensitive (special category)

Furthermore, the GDPR lays out minimum requirements for a record of processing activities. In order to maintain a RoPA, the following five actions should be completed:

  1. Personal data audit

Before implementing a RoPA, it's a good idea to conduct an information audit to determine what personal data the organization has, where it's stored, and how it's processed.

  1. Identification of the task

You must determine if you are a controller or a processor in each operation. If you organize the processing and use a SaaS then you are the controller and the software company processes the data on your behalf.

  1. Data categorization

Breaking down the data you have on data subjects into categories is a crucial step before documenting your activities. Having set categories is fundamental to keeping your personal data in order.

  1. Activity documentation

Maintain written and electronic records of your activities. It's crucial to do so methodically and you should keep the documents all in one place.

  1. Continual updates

RoPA isn’t a one-time exercise: the register of activities should be reviewed and updated on a regular basis. Any new processing operations or changes the intent of existing practices will require an update.

Benefits of RoPA

The creation and maintenance of records is a vital part of a company's readiness plan if they are subject to carrying out a RoPA. Creating a RoPA may be the first time your organization looks at its data processes from a company-wide perspective and offers several benefits.

Recognize redundancies

When putting together your RoPA, you may uncover instances where the same kinds of data are saved and updated in different places at different times, making it difficult to determine which reports are the most recent, detailed, and accurate. By creating a RoPA, you have a centralized repository once you've identified these redundancies, allowing you to extract better business performance from your data.

Plan for request processing

Just as with the data map, when a data subject sends a request for access to or removal of their personal data, the RoPA can assist in determining the type of data and how it is handled. If you have this information on hand, you'll be able to respond to data subject requests efficiently and precisely.

Streamline data collection

Some businesses find they have been gathering certain categories of personal data for no specific reason during the data discovery process. RoPA may be used to verify that the data being processed has business value. Furthermore, businesses can standardize their systems, remove the need to secure unnecessary data, and concentrate their efforts on data that helps them quickly identify and resolve other business objectives.

RoPA and data map difference

Data mapping is an exercise to determine what personal data is stored and how it flows through your organization. It includes how you got the information and explains how you will get rid of it. RoPA, on the other hand, explains how the data is used, what technological and organizational safeguards you have in place to secure the data, who is impacted by a processing, who is the beneficiary of a processing, and who may be a data processor. A ROPA also includes a fundamental risk study.

GDPR mandates the use of RoPA but no such mandate is applied for data mapping. However, RoPA is a part of data mapping. A data mapping exercise includes all the information required for RoPA with additional information such as:

  • Data processing information
  • Existing gaps in the process
  • Asset maps
  • Cross-border transfers
  • Technical, and organizational measures
  • Privacy risks
  • Overview of data processing

Since a data map goes deeper than a RoPA it, starting with mapping can help your organization formulate a RoPA fast because you will have already done the majority of the groundwork.

Complying with the regulations can seem difficult, but tackling it piece by piece will help your organization adapt to changing privacy requirements and consumer demands. Mapping your data is one of the most critical moves you can take in this direction. It's not only a necessary step toward GDPR enforcement, but it's also good business.

Automate your personal data monitoring and analytics with a free tool


Receive helpful tips, practical content, and updates

Thank you! You have been successfully subscribed
Oops! Something went wrong while submitting the form.