Hi! In this Tuesday’s post, I am introducing you to records of processing activities, or RoPA for short. You may have seen it before as a huge spreadsheet with two or even three dozen columns with fields filled with information about the processing operations. Or maybe you haven’t needed to have one in the first place. Nevertheless, let’s sort out RoPAs today.
If your organisation has at least 250 employees, you are required to keep an up-to-date RoPA. The RoPA should be prepared to be provided to the authorities upon request. If your organisation has fewer than 250 employees, you will still have to have a RoPA if any of these are at hand:
- The processing is likely to result in a risk to the rights of the data subjects
- You are processing personal data on a non-occasional basis
- You are processing personal data of a special category or those related to criminal convictions and offences
If the RoPA is affected by an exception, the RoPA would only need to cover the processing activity that is affected by the exception. To use an example by the WP29. If a small company with fewer than 250 employees, occasionally processes employees’ data. Then they will only have to have a RoPA for the processing activity regarding their employees, but not for the other non-occasional processing activities.
Moving on to the RoPA’s content. The requirement to maintain RoPA applies to both controllers (C) and processors (P). Depending on your role in the processing activity, the RoPA must contain:
- For C – the name and contact details of C and, where applicable, the joint controller, the controller’s representative, and the DPO
- For P – the name and contact details of P or Ps and each C on behalf of which P is acting, and, where applicable, of the representative of C’s or P’s, and the DPO.
- For C – the purpose(s) of processing.
- For C – a description of the data subject categories and the personal data categories.
- For P – the categories of processing carried out on behalf of each controller.
- For C – the categories of recipients to whom the personal data have been or will be disclosed. That includes a recipient in a third country or international organisation.
- For C and P – any transfers of personal data to a third country or an international organisation. That includes the identification of the third country or international organisation and, if the transfer is performed based on derogations, the documentation of suitable safeguards.
- For C – where possible, the envisaged time limits for erasure of the different data categories.
- For C and P – where possible, a general description of the technical and organisational security measures.
As we described in previous posts, the GDPR requires you to know your data. So to properly build a RoPA, you should data-map your organisation. The aim is to discover the personal data you keep, how it is used throughout the organisation, and with whom it is shared, especially with recipients outside the EU/EEA. That could include various appropriate data discovery exercises. Any records should be regularly updated and reviewed, so it accurately reflects how personal data is sourced, processed, transferred, and for how long it is stored. There shouldn’t be any discrepancies between the RoPA and your notices and policies.
To have the RoPA up-to-date is for sure a way to demonstrate the regulations and therefore accountability. The challenges, however, are to keep a RoPA alive and actually a living document of records. There are a few ways to tackle this. What we recommend is using privacy champions in the organisation that are responsible for their part. For example, a privacy champion in HR, IT and finance, that have special data protection training, and can keep the records updated. The DPOrganizer’s data mapping tool will help you build RoPA in an effective and meaningful way, all the while responsibilities can be split up between privacy champions. The professional services team can also assist you when creating the RoPA and setting up a meaningful and effective operational management structure around it.
That’s all about RoPAs for today, of course, it’s more nitty-gritty in the details of every organisation. So don’t hesitate to contact me at email@example.com, my colleagues, or your privacy peers in Watercooler by DPOrganizer if you have any questions. Until next time, cheers!