What is the impact of maintaining (ROPA) under the GDPR?
In this blog we focus on the technical and operational aspects of how organisations can create an overview of existing data processing activities. For some countries this is not an entirely new requirement, as organisations in for example the Netherlands and Belgium are already familiar with the obligation of notifying processing activities to the local Data Protection Authority.
This responsibility for organisations, laid down in article 30 of the GDPR, requires a full overview of the processing activities that take place within an organization, but also requires these activities to be documented accordingly. This will require a proactive approach from, and collaboration within, organisations.
What does this obligation entail for controllers?
Each controller has a responsibility to maintain records of all the processing activities which take place within the organization. These records (which need to be in writing, as well asin electronic form) must contain all of the following information:
(a) the name and contact details of the controller and where applicable, the data protection office;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
(e) the transfers of personal data to a third country or an international organization, including the documentation of suitable safeguards;
(f) the envisaged time limits for erasure of the different categories of data; and
(g) a general description of the applied technical and organisational security measures.
Furthermore, the controller or the processor (please refer to the next paragraph) need to make the records available to the supervisory authority upon request.
And what about processors?
In general, the GDPR does not only require more responsibility from the controller, but it also requires more responsibility from the involved data processors. Therefore, this obligation is also applicable to processors. Each processor will have the responsibility to maintain records of all categories of processing activities carried out on behalf of a controller, containing:
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable and the data protection officer;
- the categories of processing carried out on behalf of each controller;
- transfers of personal data to a third country or an international organization, including the documentation of suitable safeguards;
- a general description of the applied technical and organisational security measures.
Operational and technical measures
Organising records of all the data processing activities that take place within in your organization, could pose a challenge. Especially when these kinds of processing activities take place decentralised within different departments or business units. How can this stream of information best be coordinated, where should records be stored and more importantly, how should these records be maintained and kept up-to-date? Below a few practical tips and tricks are outlined.
1. Involve the business
As data processing activities take place across your organization, it is key to localise the stakeholders which play a role at the beginning of the development or design of a product, process, system, application or project. These people have the main insight into the data processing activities and will be of extreme value to create and maintain the overview. Involve the business when your organization starts to think about the underlying process that is needed to generate these records. Make them aware of the benefits and the added value for your organization.
2. Design (and align) a process, with clear roles and responsibilities
When you have your stakeholders involved, the next step is to determine the process in which the records must be obtained, checked, added to a central register and kept up-to-date. Be aware that lot of the required information will most probably already be obtained by performing Privacy Impact Assessments (DPIA’s). If there is an existing supporting process, explore to what extent this new process can be aligned. This will coordinate the required effort, and will prevent the business from providing the required information twice.
Also, make sure that clear roles and responsibilities aredefined when the process is being developed. Think about responsibilities with regard to the collection of the required information, including the information into a centralised register and updating the information in the register when needed.
Do not forget to involve other competences as well, such as IT, compliance, procurement and legal, as they could also greatly benefit from the information. Think of the contracts in light of the procurement process in case processors are (going to be) involved. The information will be of great value in settling data processing agreements.
3. Create a central register for the records.
The records that must be kept, should be stored in a centralised manner. Depending on the infrastructure of the specific organization, explore how to support the fundamental process. Preferably, organisations should not “seek refuge” in Excel sheets, as easy as it might be – but rather use a proper tool. In this way one centralised system will provide a full overview of the processing activities that take place within the organization. Of course in this scenario people have to be aware of the proper technical measures, such as access and authorisation rights (not everyone should be authorized to change or alter information). The market for privacy tools is expanding rapidly, and it is good to think about the technical requirements and possibilities within your own organization.
Is this obligation a burden or could it become a valuable asset for organisations?
This requirement under the GDPR will require some extensive effort. The organising part requires a lot of the business, but also of the privacy professionals involved. To convince the business of the added value of these records – besides the fact that it is an obligation of which non-compliance could lead to fines up to EUR 10.000.000 or 2% of the total worldwide annual turnover – will take time. Keeping in mind the development of the process, but also exploring and implementing the technical measures, it will be a time consuming process. Moreover, don’t forget to keep track of existing processing activities: not only new data processing activities must be recorded, but also the activities that are taking place at the moment (and maybe have been for years).
However, there is also something to gain. The records will provide an overview of all data processing activities within your organization, and therefore enable organisations to get a grip on what kind of data categories are being processed, by whom (which departments or business units) and for which underlying purposes. This knowledge will allow organisations to make connections internally, join efforts or projects with the same or equivalent goals and / or challenges and it can result in increasing control over data processing activities. This will provide insight into risks and required mitigation actions, and will inevitably result in empowering organisations to do more – and in a well-ordered manner – with the available personal data.