What is a Record of Processing Activities?
The Records of Processing Activities, or RoPA, is an overview of all processing activities of personal data within an organization. It is used to demonstrate that the personal data is being processed in accordance with the General Data Protection Regulation (GDPR). Article 30 of the GDPR states that controllers and processors are required to maintain a RoPA. As it is essentially a map of all personal data processes, it is a key tool in achieving GDPR compliance, though it is not to be confused with Data Mapping.
How to start building a RoPA
Appoint someone responsible for privacy
A good way to start your RoPA is to appoint a Privacy SPOC or someone who’ll oversee mapping processing activities of personal data within the company. In addition, this person will review the RoPA on yearly basis to ensure they remain up to. The DPO, if present, can typically play a role here as well (both in drafting and the yearly review).
Determine whether you are a data controller or data processor
Once you have appointed the person responsible for privacy matters, you can determine whether you are a Data Controller and/or a Data Processor. What’s the difference? The Data Controller determines the purpose and how personal data is processed. The Data Processor, on the other hand, processes personal data on behalf of the controller only (see Article 4 (7) and (8) of GDPR). Mind that you can be both Controller and Processor at the same time. The role will depend on the processing activity that you execute.
Does every organization need a RoPA?
Records of Processing Activities are required for organizations with more than 250 employees. Yet, most organizations with less than 250 employees will also have to draw up such Records because of the following elements (see Article 30 (5) GDPR):
Requirements: Format, content & structure
There is no set format that fits all situations regarding your RoPA structure. Indeed, Records of Processing Activities may differ from one another depending on the company’s size or sector.
Content-wise, Article 30 of GDPR sets out a certain number of elements that the Records must contain.
For the Controller, the elements are:
For the Processor, the elements are:
In terms of format, the RoPA need to be written down, either online or offline. What is important, is that the Records should be kept in a centralized manner. It can be done by using proper tools such as RESPONSUM: a privacy management SaaS solution.
Putting theory into practice
You now know what a RoPA is with all its requirements, but how to put theory into practice? In the following paragraph, you will find a brief outline of how to make a Record.
To start, you will need to gather available details. To do so, you will need to identify and interview key supervisors of your organization’s departments, who are likely to process personal data. Through interviews, you’ll be able to highlight the departments that process personal data, the related activity to this processing, and the exact personal data involved. Based on this information, you will be able to set up a list of the different activities requiring personal data processing within the different departments of your organization. Fill out a record form for every activity.
Templates and resources are available to help you gather and list the activities involving personal data processing. RESPONSUM offers tools to help with maintaining your Records of Processing Activities. Find out more about our RoPA module right here, or talk to one of our colleagues.
Liked reading this article? Spread the word!
Get the inside scoop on simplified privacy management
Get exclusive tips ‘n tricks straight to your inbox. Join +1,100 privacy professionals already subscribed and stay ahead of the game!
Privacy Consultant @ CRANIUM