Article 30 of the General Data Protection Regulation (GDPR) states that controllers and processors are required to maintain Records of Processing Activities (RoPA). This obligation helps your company achieve GDPR compliance through a mapping of the processing of personal data within the company. It results in an overview of all processing activities of personal data and is used to demonstrate that the personal data is being processed in accordance with GDPR. RoPA are thus key documents to demonstrate your organization’s accountability towards GDPR as it must be available to supervisory authorities upon request.
Records of Processing Activities are required for organizations with more than 250 employees. Yet, most organizations with less than 250 employees will also have to draw up such Records because of the following elements (see Article 30(5) GDPR):
There is no set format that fits all situations regarding your RoPA structure. Indeed, Records of Processing Activities may differ from one another depending on the company’s size or sector.
Content-wise, Article 30 of GDPR sets out a certain number of elements that the Records must contain.
For the Controller, the elements are:
For the Processor, the elements are:
In terms of format, the RoPA need to be written down, either online or offline. What is important, is that the Records should be kept in a centralized manner. It can be done by using proper tools such as RESPONSUM: a privacy management SaaS solution.
You now know what a RoPA is with all its requirements, but how to put theory into practice? In the following paragraph, you will find a brief outline of how to make a Record.
To start, you will need to gather available details. To do so, you will need to identify and interview key supervisors of your organization’s departments, who are likely to process personal data. Through interviews, you’ll be able to highlight the departments that process personal data, the related activity to this processing, and the exact personal data involved. Based on this information, you will be able to set up a list of the different activities requiring personal data processing within the different departments of your organization. Fill out a record form for every activity.
Templates and resources are available to help you gather and list the activities involving personal data processing. RESPONSUM offers tools to help with maintaining your Records of Processing Activities. Find out more about our RoPA module right here, or talk to one of our colleagues.
Published on January 27, 2022. Written by:
Privacy consultant at CRANIUM
Book a free demo with one of our experts today. Don’t worry, they won’t bite.