One of the GDPR requirements is to create and maintain a record of processing activities (ROPA), which includes the purposes of personal processing data, the parties to whom you are disclosing the data, how long you will retain the data, and other details (see Article 30). As we work with clients to create ROPAs as part of their data privacy readiness plans, the process frequently reveals new insights into their data management practices. Because these insights can yield positive outcomes on multiple levels and help you better manage your data, the ROPA process can be a beneficial undertaking for any organization, whether it is subject to GDPR or not.
What Is a ROPA?
A ROPA is a record of an organization’s processing activities involving personal data. Some businesses may think of “processing” as being limited to current events, but a ROPA must also cover data that sits on a server or a shelf.
A ROPA includes the following information for each processing activity:
- Names and contact details of the data controller, data processor, data controller’s representative, joint controller, and data protection officer (DPO), if applicable
- Purpose (i.e., lawful basis) of processing personal data
- Categories of data subjects and categories of personal data processed
- Categories of recipients to whom the personal data has been or will be shared
- Third parties in other countries or international organizations who receive the personal data
- Retention schedule for each category of personal data
- General description of technical and organizational security measures related to each processing activity
A completed ROPA lists each processing activity involving personal data and provides detailed information about each of the items listed above. While this may sound like a simple task, building a complete list of processing activities is often a complicated and time-consuming endeavor, involving detailed documentation reviews and multiple rounds of interviews with business users and IT. Larger organizations may want to create individual ROPAs for each department or line of business and then roll up into a master enterprise-level record.
Due to the high volume of their processing activities involving personal data, midsize-to-large companies will likely need a data discovery tool to begin pulling together and organizing the various elements of the ROPA. Smaller organizations may want to start with a spreadsheet containing one row per processing activity (e.g. “Candidate offer of employment”) and one column for each of the fields listed above. Here’s a portion of an example from one of our projects:
Benefits Beyond Compliance
For companies covered by the ROPA requirement, creating and maintaining this record is a necessary part of their readiness plan. However, the ROPA process may represent the first time an organization takes a close look at their data processes from an enterprise-wide perspective. By making these determinations in creating a ROPA, you can take the first step towards implementing sound data management practices across the organization.
Here are a few of the additional benefits we’ve identified for clients as we helped them create their ROPAs:
In creating your ROPA, you can identify cases of the same types of data being saved and updated in different locations at different times, which can make it impossible to identify which records are the most current, complete, and accurate. Once you identify these redundancies, you can build a single source of truth that allows you to get more business value from your data.
Prepare to Respond to Data Subject Requests
If a data subject requests access to or deletion of her data, the ROPA can help you identify the category of the data located and how it’s processed. Having this information readily available can enable you to respond to data subject requests promptly and accurately.
Plan for Data Retention
The ROPA’s “time limits for erasure” column requires stakeholders to think about their data retention schedule. For decades, organizations amassed data without considering how long it would continue to be relevant or useful. They created enormous data lakes that raise security risks and hamper their ability to leverage data in supporting business objectives if information cannot be located quickly or if there is any confusion over which data is the most current, accurate, and relevant. Thinking strategically about data retention schedules and implementing time limits allows the organization to control “data swell” and better leverage its data as a strategic asset.
Streamline Data Collection
Through the process of data discovery, some organizations realize they have been collecting certain categories of personal data that serve no specific purpose, and the ROPA can serve to validate that data collected actually has business value.
A Living Document
Technology is always changing, and so is your business. While the act of creating a ROPA is a best practice, the document can only continue to deliver value if you keep it up to date. When we work with clients, we recommend that their data governance committee review the ROPA at least once a quarter and update it as necessary.
How to Get Started
Your investigation into your data processing activities can begin with documentation you may have on hand: data privacy/security survey results, IT system documents, (in larger organizations) output from data discovery tools. However, in our experience, gaining a thorough understanding of how an organization uses data requires sitting down and talking to the people who work with it, both in individual lines of business and in IT. Skipping this step can cause you to miss out on vital information that you need to build a comprehensive, accurate ROPA.
(Data) Knowledge Is Power
The more you know about your data, the more effectively and efficiently you can use it to achieve your business goals. The Creation and maintenance of ROPA provide an organization with a single source of which personal data is within your organization.
The insights contained in your ROPA provide the necessary foundation not only for aligning with data privacy requirements, but also for implementing sound data management practices across the organization. And if you need some help getting started, we’re just a phone call away.