Article 30, RoPA: What is it and How to manage one

What is a Record of Processing Activities?

The Records of Processing Activities, or RoPA, is an overview of all processing activities of personal data within an organization. It is used to demonstrate that the personal data is being processed in accordance with the General Data Protection Regulation (GDPR). Article 30 of the GDPR states that controllers and processors are required to maintain a RoPA. As it is essentially a map of all personal data processes, it is a key tool in achieving GDPR compliance, though it is not to be confused with Data Mapping.

How to start building a RoPA

Appoint someone responsible for privacy

A good way to start your RoPA is to appoint a Privacy SPOC or someone who’ll oversee mapping processing activities of personal data within the company. In addition, this person will review the RoPA on yearly basis to ensure they remain up to. The DPO, if present, can typically play a role here as well (both in drafting and the yearly review).

Determine whether you are a data controller or data processor

Once you have appointed the person responsible for privacy matters, you can determine whether you are a Data Controller and/or a Data Processor. What’s the difference? The Data Controller determines the purpose and how personal data is processed. The Data Processor, on the other hand, processes personal data on behalf of the controller only (see Article 4 (7) and (8) of GDPR). Mind that you can be both Controller and Processor at the same time. The role will depend on the processing activity that you execute.

Does every organization need a RoPA?

Records of Processing Activities are required for organizations with more than 250 employees. Yet, most organizations with less than 250 employees will also have to draw up such Records because of the following elements (see Article 30 (5) GDPR):

Requirements: Format, content & structure

There is no set format that fits all situations regarding your RoPA structure. Indeed, Records of Processing Activities may differ from one another depending on the company’s size or sector.

Content-wise, Article 30 of GDPR sets out a certain number of elements that the Records must contain.

The processing carried out is likely to result in a risk to the rights and freedoms of data subjects. E.g., Evaluation of employees.
The data processing is not occasional. E.g., Timesheets of employees, Human Resources Management, etc.
The processing includes special categories of data as referred to in Article 9(1). E.g., Doctor’s notes, accidents at work…
The personal data relates to criminal convictions and offenses referred to in Article 10. E.g., When extract of a criminal record is an employment prerequisite.

For the Controller, the elements are:

The name and contact details of the controller and, where applicable, the joint Controller, the Controller’s representative, and person responsible for Privacy/DPO (if there is any).
The purposes of the processing.
A description of the categories of data subjects and the categories of personal data.
The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations.
Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49 (1), the documentation of suitable safeguards.
If possible, the predicted time limits for erasure of the different categories of data.
Where possible, a general description of the technical and organizational security measures referred to in Article 32(1)

For the Processor, the elements are:

In terms of format, the RoPA need to be written down, either online or offline. What is important, is that the Records should be kept in a centralized manner. It can be done by using proper tools such as RESPONSUM: a privacy management SaaS solution.

Lastly, any details showing your commitment to data privacy to supervisory authorities are welcomed (ex. Privacy policy notes, data breaches details, …).

Putting theory into practice

You now know what a RoPA is with all its requirements, but how to put theory into practice? In the following paragraph, you will find a brief outline of how to make a Record.

To start, you will need to gather available details. To do so, you will need to identify and interview key supervisors of your organization’s departments, who are likely to process personal data. Through interviews, you’ll be able to highlight the departments that process personal data, the related activity to this processing, and the exact personal data involved. Based on this information, you will be able to set up a list of the different activities requiring personal data processing within the different departments of your organization. Fill out a record form for every activity.

Templates and resources are available to help you gather and list the activities involving personal data processing. RESPONSUM offers tools to help with maintaining your Records of Processing Activities. Find out more about our RoPA module right here, or talk to one of our colleagues.

Liked reading this article? Spread the word!

Get the inside scoop on simplified privacy management

Get exclusive tips ‘n tricks straight to your inbox. Join +1,100 privacy professionals already subscribed and stay ahead of the game!

Written by

Noémie Nikavogui

Privacy Consultant @ CRANIUM

Privacy

Assessments

Awareness

Services

Industries

Content Hub

Tools

Latest from our blog

RESPONSUM Strengthens Market Presence with Acquisition of RealCGR’s GDPR Division

Vendor Assessments: Choosing a Processor

Mastering Vendor Risk Management