April 29, 2021
4 min read

RoPA: why you need one

Read this explainer article to find out how to complete a RoPA for your organization.

RoPA stands for record of processing activities and is obligatory for certain organizations under Article 30 of the GDPR. Creating a RoPA for your organization may seem like a time-consuming and daunting task, but we are here to help and make it easier.

When should I do a RoPA

Record of processing activities document an organization’s personal data processing activities and needs to be carried out where the organization employs 250+ staff, if your data processing is not occasional, or you process special category data. Moreover, where your data processing activities are likely to result in risk to the rights and freedoms of the data subjects (the people who the data pertains to) you also need to record these activities, in addition to conducting a data protection impact assessment before you even begin them.

The UK data protection authority provides a non-exhaustive list of high-risk activities:

  • Use of innovative technologies
  • Denial of service
  • Large-scale profiling
  • Use of biometric/genetic data
  • Conducting data matching
  • Carrying out invisible processing
  • Tracking activities
  • Targeting vulnerable individuals/children
  • Where there is a risk of physical harm

As you can see the list above means that many tech companies fall within the regulations to maintain a RoPA. Obviously, use of innovative technologies comes to mind immediately for these companies. But there is also a need to do a RoPA if you use online trackers and advertising, or carry out data aggregation and re-use of publicly available information online.

How does RoPA differ from data mapping

Similarly to a RoPA, a data map is a document where you indicate the what, where, how, and why you process data. GDPR data mapping gives you a full overview of the data practices in your organization. As such, a data map details the personal data flows for your organization; RoPA, on the other hand provides a concise description of processing operations right now. Moreover, creating a data map is not mandatory under the GDPR but is considered as best practice. This is one of the main differences between RoPA (which is mandatory in some circumstances, as we saw above) and data mapping.

Free data mapping template

Save time and effort by downloading Soveren’s free GDPR data mapping template.

Download now

The other main difference between RoPA and data mapping is that a data map gives you the overview of what you do with data, whereas a RoPA is a record grouping processes to achieve accountability in privacy risk identification and mitigation. As such, a RoPA will include explanations about how the data is used and links to data protection impact assessments, the safeguards employed to protect the personal data, and more.

Benefits of RoPA

Aside from being mandated by data privacy legislation, doing a RoPA also brings several additional benefits for organizations:

Streamlining

Once a RoPA is completed it gets much easier to manage privacy risks. With different processes in your company grouped together and labelled with proper bases for processing, you can easily determine which data should be deleted following revocation of consent, which purposes should be disclosed in your privacy policy etc.

3rd party risk management

RoPA gives you greater understanding about who your data processors are, what kind of contract is in place, security expectations, etc., while also allowing you to properly manage them in line with data protection regulatory requirements.

Cost saving

RoPA allows organizations to identify and remove duplication, rationalize and identify/plan storage needs and requirements with more confidence.

Retention

RoPA can double up as a retention schedule when done properly, which for mid-size corporations means one less headache to maintain.

Getting cross-department buy-in and usage of the RoPA is vital to on-going maintenance and driving the best value from the artefact. To do so, you can provide read-only access to the likes of HR, Marketing, Finance, Engineering, etc. and they use the RoPA not only for the reasons listed above, but also prior to any onboarding of any new supplier.

One point of note here is that having a shared single source of truth offers greater transparency. This translates into less duplication of services in different departments. It may come as a surprise to you that different departments use different services for the same capability. With a shared RoPA, everyone can see all the services and this can lead to greater cost saving.

What should be in a RoPA

So we’ve seen how making a detailed RoPA is worthwhile. But let’s take a look at the minimum requirements for what should be included in your RoPA:

  • Name of your organization and joint controller (if applicable)
  • Contact details (responsible data protection officer)
  • Processing purposes
  • Description of categories of data processed
  • Description of categories of people whose data is being processed
  • Categories of recipients of data
  • Information about transfers to third countries/parties
  • Safeguard mechanisms employed to protect the data during transfers
  • Retention schedule (where possible)
  • Description of the technical and organizational security measures in place (where possible)

As you can see, the minimum requirements are quite detailed and may be difficult to satisfy quickly if you don’t have immediate access to all the information or you don’t have a structure to compile your RoPA.

Author
Soveren

Receive helpful tips, practical content, and updates

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.