RoPA stands for record of processing activities and is obligatory for certain organizations under Article 30 of the GDPR. Creating a RoPA for your organization may seem like a time-consuming and daunting task, but we are here to help and make it easier.
Record of processing activities document an organization’s personal data processing activities and needs to be carried out where the organization employs 250+ staff, if your data processing is not occasional, or you process special category data. Moreover, where your data processing activities are likely to result in risk to the rights and freedoms of the data subjects (the people who the data pertains to) you also need to record these activities, in addition to conducting a data protection impact assessment before you even begin them.
The UK data protection authority provides a non-exhaustive list of high-risk activities:
As you can see the list above means that many tech companies fall within the regulations to maintain a RoPA. Obviously, use of innovative technologies comes to mind immediately for these companies. But there is also a need to do a RoPA if you use online trackers and advertising, or carry out data aggregation and re-use of publicly available information online.
Similarly to a RoPA, a data map is a document where you indicate the what, where, how, and why you process data. GDPR data mapping gives you a full overview of the data practices in your organization. As such, a data map details the personal data flows for your organization; RoPA, on the other hand provides a concise description of processing operations right now. Moreover, creating a data map is not mandatory under the GDPR but is considered as best practice. This is one of the main differences between RoPA (which is mandatory in some circumstances, as we saw above) and data mapping.
The other main difference between RoPA and data mapping is that a data map gives you the overview of what you do with data, whereas a RoPA is a record grouping processes to achieve accountability in privacy risk identification and mitigation. As such, a RoPA will include explanations about how the data is used and links to data protection impact assessments, the safeguards employed to protect the personal data, and more.
Aside from being mandated by data privacy legislation, doing a RoPA also brings several additional benefits for organizations:
RoPA gives you greater understanding about who your data processors are, what kind of contract is in place, security expectations, etc., while also allowing you to properly manage them in line with data protection regulatory requirements.
RoPA allows organizations to identify and remove duplication, rationalize and identify/plan storage needs and requirements with more confidence.
RoPA can double up as a retention schedule when done properly, which for mid-size corporations means one less headache to maintain.
Getting cross-department buy-in and usage of the RoPA is vital to on-going maintenance and driving the best value from the artefact. To do so, you can provide read-only access to the likes of HR, Marketing, Finance, Engineering, etc. and they use the RoPA not only for the reasons listed above, but also prior to any onboarding of any new supplier.
One point of note here is that having a shared single source of truth offers greater transparency. This translates into less duplication of services in different departments. It may come as a surprise to you that different departments use different services for the same capability. With a shared RoPA, everyone can see all the services and this can lead to greater cost saving.
So we’ve seen how making a detailed RoPA is worthwhile. But let’s take a look at the minimum requirements for what should be included in your RoPA:
As you can see, the minimum requirements are quite detailed and may be difficult to satisfy quickly if you don’t have immediate access to all the information or you don’t have a structure to compile your RoPA.