RoPa: What is it and how to approach its development?

RoPa

Records of Processing Activities:

What is it and how to approach its development?

data processing

What is a RoPA (or Record of Processing Activities)?

Article 30 of the General Data Protection Regulation (GDPR) states that controllers and processors are required to maintain Records of Processing Activities, in short RoPA or “Records”. This obligation helps your company achieve GDPR compliance through a mapping of the processing of personal data within the company. It results in an overview of all processing activities of personal data and is used to demonstrate that the personal data is being processed in accordance with GDPR. RoPA are thus key documents to demonstrate your organization’s accountability towards GDPR as it must be available to supervisory authorities upon request.

How to start?

Appoint someone responsible for Privacy: A good way to start your RoPA is to appoint a Privacy SPOC or someone who’ll oversee mapping processing activities of personal data within the company. In addition, this person will review the RoPA on yearly basis to ensure they remain up to. The DPO, if present, can typically play a role here as well (both in drafting and the yearly review).

 

Determine whether you are a Data Controller or a Data Processor: Once you have appointed the person responsible for privacy matters, you can determine whether you are a Data Controller and/or a Data Processor. What’s the difference? The Data Controller determines the purpose and how personal data is processed. The Data Processor, on the other hand, processes personal data on behalf of the controller only (see Article 4(7) and (8) of GDPR). Mind that you can be both Controller and Processor at the same time. The role will depend on the processing activity that you execute.

Does every organization need RoPA?

Records of Processing Activities are required for organizations with more than 250 employees. Yet, most organizations with less than 250 employees will also have to draw up such Records because of the following elements (see Article 30(5) GDPR):

  • The processing carried out is likely to result in a risk to the rights and freedoms of data subjects. E.g., Evaluation of employees.
  • The data processing is not occasional. E.g., Timesheets of employees, Human Resources Management, etc.
  • The processing includes special categories of data as referred to in Article 9(1). E.g., Doctor’s notes, accidents at work…
  • The personal data relates to criminal convictions and offenses referred to in Article 10. E.g., When extract of a criminal record is an employment prerequisite.

Requirements: Format, Content & Structure

There is no set format that fits all situations regarding your RoPA structure. Indeed, Records of Processing Activities may differ from one another depending on the company’s size or sector.

Content-wise, Article 30 of GDPR sets out a certain number of elements that the Records must contain.

For the Controller, the elements are:

  • The name and contact details of the controller and, where applicable, the joint Controller, the Controller’s representative, and person responsible for Privacy/DPO (if there is any).
  • The purposes of the processing.
  • A description of the categories of data subjects and the categories of personal data.
  • The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations.
  • Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.
  • If possible, the predicted time limits for erasure of the different categories of data.
  • Where possible, a general description of the technical and organizational security measures referred to in Article 32(1)

For the Processor, the elements are:

  • The name and contact details of the Processor(s), on behalf of whom the processor is acting, and, where applicable, the Controller’s or Processor’s representative. Lastly the name and details of the appointed person responsible for Privacy/DPO (if there is any).
  • The categories of processing carried out on behalf of each controller.
  • Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards.
  • Where possible, a general description of the technical and organizational security measures referred to in Article 32(1).

In terms of format, the RoPA need to be written down, either online or offline. What is important, is that the Records should be kept in a centralized manner. It can be done by using proper tools such as RESPONSUM: a privacy management SaaS solution.

 

Lastly, any details showing your commitment to data privacy to supervisory authorities are welcomed (ex. Privacy policy notes, data breaches details, …).

Putting Theory into Practice

You now know what a RoPA is with all its requirements, but how to put theory into practice? In the following paragraph, you will find a brief outline of how to make a Record.

To start, you will need to gather available details. To do so, you will need to identify and interview key supervisors of your organization’s departments, who are likely to process personal data. Through interviews, you’ll be able to highlight the departments that process personal data, the related activity to this processing, and the exact personal data involved. Based on this information, you will be able to set up a list of the different activities requiring personal data processing within the different departments of your organization. Fill out a record form for every activity.

Templates and resources are available to help you gather and list the activities involving personal data processing. The Belgian Data protection Authority offered of Records of Processing Activities in Dutch and French. RESPONSUM also offers tools to help with you maintaining your Records of Processing Activities. Reach out to responsum.eu for more information.