Blog

RoPA: how to complete

Soveren has created a tool to help you document your record of processing activities (RoPA). The tool allows you to simplify the process of creating a RoPA and keeps you audit ready. Try out the tool for free today and read this explainer article to get you started.

Soveren
SoverenApril 27, 2021
Holding a aecord of processing activities is mandatory under GDPR.

Completing your RoPA

Log in to your Soveren account and you will see a section to create your RoPA in the left-hand bar. Navigate to this section and add a new activity.

Log in to Soveren and click RoPA

Let’s now run through the step-by-step process to completing your record of processing activities. While you are in Soveren’s RoPA tool, you are provided with hints. You can save your progress at any time and come back later to finish or update it.

Enter the data for you RoPA

  1. Enter in your processing activity name, whether customer support, some kind of sales and marketing activity (such as online marketing) or other (the name is just a reference for your future use, so feel free to name it as you wish)
  2. Then indicate your processing purpose: the reason you process personal data, for example, if you are documenting customer support activities: “Advertisements and promotions by email and push notifications, excluding direct, offline advertising”‎
  3. Following this you need to add any systems you use for processing personal data, such as Zendesk (for customer support)
  4. Indicate the person responsible for the processing activity: the customer support manager
  5. Complete the categories of data subject, the categories of people whose personal data is being processed, for example: “Web users”‎
  6. Now enter the categories of personal data being processed, for example: “Content of communications and emails”
  7. Then add the link to a description of security measures that ensure the safety of the processing activity, for example: the link to a PDF file containing risk assessment and mitigation measures
  8. Add the expected period you store and/or process personal data until you legally have to erase it, for example, “Until objection to processing or 1 year after the last action on the service, whichever is earlier”‎
  9. If you transfer or disclose personal data to third countries and/or international organizations, you need to enter these third parties and the countries in which they are located, for example: “US, XYZ World Insurance”
  10. Depending on whether you transfer personal data outside the EEA, you need to enter the basis for doing so, for example: “Standard contractual clause (SCC)”

Add the necessary information to the RoPA

By completing the above 10 steps you will be well on your way to documenting activities that require a RoPA. The additional 7 steps below may be completed should you have access to this information:

  1. Add the legal basis for processing personal data, such as “‎Legitimate interest”
  2. Should you process data jointly with others, cooperatively determining the purpose and means for data processing, you need to add these organizations
  3. Should you disclose personal data to third-party recipients you need to add these companies
  4. If you are a controller and have processors handling data on your behalf, indicate the processor (company) for this data
  5. While not strictly speaking necessary under Article 30, you can also keep track of the subprocessors used by your processors that you listed in step 4; this can be useful if you wish to make sure whether the data is leaving the EEA
  6. Before starting your data processing activity, you will have conducted a threshold test for carrying out a full data processing impact assessment (DPIA); place a link to the outcome of this threshold analysis
  7. Lastly, if the outcome of your threshold analysis indicated that you should complete a DPIA, provide the link to the document where the analysis took place

The outcome of you adding your records of processing activities should then look like this:

What your RoPA will look like

This record is audit ready should the regulators come knocking and provides you with a great framework to boost the effectiveness of your data privacy operations.

Get started for free right now !

Subscribe to our newsletterReceive the latest news, data privacy insights and updates
We will not share your email address. 
For more information, read our privacy policy.