What is it and how to approach its development?
Article 30 of the General Data Protection Regulation (GDPR) states that controllers and processors are required to maintain Records of Processing Activities (RoPA). This obligation helps your company achieve GDPR compliance through a mapping of the processing of personal data within the company. It results in an overview of all processing activities of personal data and is used to demonstrate that the personal data is being processed in accordance with GDPR. RoPA are thus key documents to demonstrate your organization’s accountability towards GDPR as it must be available to supervisory authorities upon request.
A good way to start your RoPA is to appoint a Privacy SPOC or someone who’ll oversee mapping processing activities of personal data within the company. In addition, this person will review the RoPA on yearly basis to ensure they remain up to. The DPO, if present, can typically play a role here as well (both in drafting and the yearly review).
Once you have appointed the person responsible for privacy matters, you can determine whether you are a Data Controller and/or a Data Processor. What’s the difference? The Data Controller determines the purpose and how personal data is processed. The Data Processor, on the other hand, processes personal data on behalf of the controller only (see Article 4(7) and (8) of GDPR). Mind that you can be both Controller and Processor at the same time. The role will depend on the processing activity that you execute.
Records of Processing Activities are required for organizations with more than 250 employees. Yet, most organizations with less than 250 employees will also have to draw up such Records because of the following elements (see Article 30(5) GDPR):
There is no set format that fits all situations regarding your RoPA structure. Indeed, Records of Processing Activities may differ from one another depending on the company’s size or sector.
Content-wise, Article 30 of GDPR sets out a certain number of elements that the Records must contain.
For the Controller, the elements are:
For the Processor, the elements are:
In terms of format, the RoPA need to be written down, either online or offline. What is important, is that the Records should be kept in a centralized manner. It can be done by using proper tools such as RESPONSUM: a privacy management SaaS solution.
Lastly, any details showing your commitment to data privacy to supervisory authorities are welcomed (ex. Privacy policy notes, data breaches details, …).
You now know what a RoPA is with all its requirements, but how to put theory into practice? In the following paragraph, you will find a brief outline of how to make a Record.
To start, you will need to gather available details. To do so, you will need to identify and interview key supervisors of your organization’s departments, who are likely to process personal data. Through interviews, you’ll be able to highlight the departments that process personal data, the related activity to this processing, and the exact personal data involved. Based on this information, you will be able to set up a list of the different activities requiring personal data processing within the different departments of your organization. Fill out a record form for every activity.
Templates and resources are available to help you gather and list the activities involving personal data processing. RESPONSUM offers tools to help with maintaining your Records of Processing Activities. Find out more about our RoPA module right here, or talk to one of our colleagues.
Published on January 27, 2022. Written by:
Privacy consultant at CRANIUM
Book a free demo with one of our experts today.
Don’t worry, they won’t bite.
