What are the records of processing activities (ROPA)?
Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations to maintain internal records, which contain the information of all personal data processing activities carried out by the organisation. These records help organisations understand what personal data they collect, where it comes from and how that data is being processed.
The records of processing activities (ROPA) must be in concluded in written or electronic form. If necessary, the supervisory authority can use the records to evaluate the accountability requirement of the organisation. For this reason, the record must be made available to the supervisory authority upon request.
The records of processing activities are not only a formal requirement, but they contain the core of information for managing compliance of the organisation and production of other required documentation like privacy policy, data processing agreements, data retention schedules, etc.
Who needs to document the records of processing activities?
Article 30 GDPR stipulates that all records of processing activities have to be maintained by organisations employing more than 250 employees. Smaller organisations only need to document processing activities that:
- are not occasional (e.g., are more than just a one-off occurrence or something you do rarely); or
- are likely to result in a risk to the rights and freedoms of individuals (e.g., something that might be intrusive or adversely affect individuals); or
- involve special category data or criminal conviction and offence data (as defined by Articles 9 and 10 of the GDPR).
What information should be included in the records of processing activities?
If your organisation acts as a data controller, you are required by Article 30 of the GDPR to document at least the following:
- the name and contact details of the controller and the joint controller(s) (if any);
- if the organisation has appointed a data protection officer, his name and contact details;
- purposes of the processing – what you use personal data for (customer support, employment, marketing, product development, sales);
- categories of data subjects (eg employees, customers, contact persons of vendors);
- categories of personal data processed (eg personal identification information, contact details, health data);
- categories of recipients of personal data (eg partners, third parties, authorities, management);
- where applicable, the list of third countries or international organisations to which the personal data is transferred;
- in the case of transfers of personal data to a third country, the details of the transfer, including the name of the country and other information on the circumstances of the transfer and the safeguards;
- where possible, the retention periods for different categories of personal data;
- a description of the technical and organisational security measures (eg encryption, employee training, restrictions on access to documents and other personal data, anonymisation).
According to Article 30 GDPR, Processors are also required to maintain the records of data processing activities. In this case, the records will include the following information:
- the names and contact details of the processor, its controller(s) and sub-processors;
- if the organisation has appointed its own data protection officer, its name and contact details;
- categories of processing performed on behalf of the controller
- if personal data is transferred to a third country, the details of the transfer, including the name of the country and other information on the circumstances of the transfer and the safeguards;
- a description of the technical and organisational security measures (eg encryption, staff training, restrictions on access to documents and other personal data, anonymisation).
How do I create the records of processing activities?
Records must be stored in electronic form and regularly updated. If the organisation has an obligation to appoint a Data Protection Officer (DPO), the obligation to keep a mapping of the processing activities is the responsibility of the Data Protection Officer. If the organisation does not have a designated DPO, the mapping of the records of the processing activities may also be considered by an employee who has the appropriate qualifications to perform such operation. It’s quite common to use external consultants to perform initial mapping of ROPA and hire a DPO-as-a-Service to cover the rest of ongoing DPO responsibilities.
You could start by mapping information systems and personal data to find out what information your organisation holds and where. It is important that different stakeholders from across your organisation are involved in the process. This helps prevent any type of personal data or processes from being overlooked. It is equally important to involve senior management so that your mapping project is supported and its importance is communicated to all involved stakeholders.
Once you have an overview of the amount of personal data and their locations, you can start compiling the records of processing activities. It’s up to you to decide how to do this – in a spreadsheet or using some modern tools, but we hope the next three steps will help you get easier to the final result.
Compile a questionnaire on data processing activities
You can share the questionnaire between the stakeholders and departments that process personal data. The questions could be:
- What is personal data used for?
- Who are the persons for whom personal data are collected?
- What personal information is held about them?
- Who is this personal information shared with?
- For how long is this personal data stored?
- How is this personal information protected?
Interview the stakeholders
Based on this data, draft the records of processing activities and interview stakeholders to refine the data and get a better understanding of the processes.
Find existing documentation
If some part of required documentation already existed in the company, find it and review the policies, procedures and agreements – this will help to compare the previously concluded documentation with the planned records and identify any inconsistencies with the actual situation.
It is obvious that the ROPA project is not an easy challenge. It will require considerable time resources and cooperation with stakeholders and other involved persons. To simplify this task, we have created a helpful tool – the GDPR Register.
Maintain ROPAs effectively with GDPR Register
With GDPR Register you can do followitng:
- organise a mapping project and share tasks;
- quickly and efficiently compile records of processing activities using professionally prepared templates;
- compile a register of data processing agreements and link them to ROPAs;
- generate reports with a few clicks;
- register data subject requests;
- maintain a register of personal data breaches;
- keep all documentation related to personal data in a secure environment.
More to read on this topic: The lawful basis for Data Processing under the GDPR