Article 30 of GDPR requires companies to produce records of processing activities (ROPA). According to the ICO, this requires “a formal, documented, and accurate ROPA based on a data mapping exercise that is reviewed regularly”.
ROPA reflects the accountability principle of GDPR by working as a living document that proves your organisation’s commitment and compliance with GDPR.
This article will answer these questions:
What is a Record of Processing Activities (ROPA)?
- The type of data the organisation stores
- Who the data is on (the data subject)
- What the organisation is doing with the data
- How the data is being secured
- What the lawful basis is for processing the data
A record of processing activities should not be confused with an asset register. A ROPA tells the reader what you are doing with the data in addition to where data is held.
Do I need a ROPA?
GDPR requires you to complete a ROPA if your organisation has over 250 employees or if the data you process:
- Isn’t occasional (rare or ad hoc activity e.g. annual staff survey),
- Has some risk to the individual or
- Is special category data (information that could lead to discrimination).
Although not required for all organisations, we recommend all organisations maintain a living ROPA record because it makes it easier to comply with GDPR.
What are the benefits of ROPA?
Keeping an updated record of processing activities gives you the tools to implement a data processing procedure that ensures data protection by design and default.
Beyond GDPR compliance, ROPA implementation helps your organisation:
Determine data redundancies
Data redundancy is when an organisation stores and updates the same data in several places. For example, the sales and marketing departments within the same organisation might store the personal data of the same customer.
While intentional data redundancy can be a good thing, unintentional data redundancy may increase the risk of data breaches. A ROPA helps you identify these redundancies and, if required, fix them.
Under GDPR, data subjects may request access to their data, restrict processing of their data, and the right to the erasure of their data.
A comprehensive ROPA empowers your organisation to process such requests quickly and accurately because the applicable information is easily available.
Actions
Consider taking the following steps when preparing your record of processing activities.
- Interview heads of departments to clarify what personal data their departments have access to and address any vulnerabilities that may arise.
- Work with the IT department to verify access control
- Review your privacy and security policies, and ensure data processing addendums (DPAs) are in place with all third-party vendors.
The ICO has made ROPA templates available to the public. These templates are a useful starting point but should be personalised to suit your organisation’s size and requirements.
In most cases, your DPO or EU or UK representative will maintain your record of processing activities. Formiti provides DPO and representative services for organisations of every size. Our global data regulation experts are committed to providing you with bespoke services to suit your organisation’s needs.