Under Article 30 of the GDPR, controllers and processors of personal data must keep a Record of Processing Activities (RoPA). This is a living document which describes all the types of personal data that your organisation controls and/or processes. It is a detailed document and should include the following;
- The name and contact details of the controller/joint controller/controller’s representative and the data protection officer
- The categories of data subjects
- The categories of personal data
- The categories of recipients to whom the personal data have been or will be disclosed to, (this includes recipients in third countries or international organisations) and in these cases, documentation of suitable safeguards must also be included
- The envisaged time limits for erasure of the personal data
- A description of technical and organisational measures to keep the data secure
A RoPA is similar to and Information Asset Register in that it forms the ‘register’ of the personal data processing you carry out. The list above covers the minimum information to be included, but you could also add additional information such as locations / systems used to store personal data and names of data owners. Also, lawful bases for processing and you could include links to DPIAs and LIAs.
We tend to think of a RoPA as a ‘dashboard’ for data processing activities as it provides an overview of key information from which you can identify higher processing risks and then ‘drill down’ into more detail.
The Article 29 Working Party (now the European Data Protection Board) took a similar view in their Data Protection Officer guidance, in which they stated that a Record of Processing Activities “should be considered as one of the tools enabling the DPO to perform its tasks of monitoring compliance, informing and advising the controller or the processor”.
Is the Record of Processing Activities (RoPA) Mandatory?
Yes! The RoPA must be readily available to your supervisory authority (the Information Commissioner’s Office in the UK) on request in hard and soft format. Under GDPR it is a mandatory document, with the caveat that companies of less than 250 employees do not need to comply unless the data they are processing:
- Is likely to result in a risk to the rights and freedoms of the data subjects (a definition of this can be found here)
- Is frequent, I.e. more than once or twice a year
- Includes special categories of data referred to in Article 9 which is described here, or personal data relating to criminal convictions and offences.
Even if your organisation falls within the Record of Processing Activities exemption, we’d recommend creating one. It shows accountability, and as the old saying goes ‘if you can’t measure it you can’t manage it’.
What if I don’t have a Record of Processing Activities?
If your supervisory body, the ICO for UK based businesses, asks to see your RoPA and you can’t supply it, you risk the standard maximum fine which applies to infringements of administrative requirement under GDPR. This could amount to €10 million (equivalent in UK Sterling) or 2% of the total annual global turnover, (from the preceding year) whichever is higher.
In truth, it’s incredibly unlikely that you’ll be hit with a multi-million pound fine for not having a RoPA, but if you are subject to an investigation it’s not going to be a great start if you can’t furnish the ICO with your Record of Processing Activities at the outset.
Your RoPA also helps inform other GDPR obligations. For example, it can help inform your privacy notices, it helps identify where data processing agreements and DPIAs are required and makes you think about the technical and organisational measures applied to ensure the security of processing.
How do I create a Record of Processing Activities?
If you want this project to be a success, I recommend you get support and buy-in from board level first. This should ensure you have the necessary resource to do the job properly and it will help encourage engagement across the business.
The starting point for a Record of Processing Activities is often a data map that helps you understand how personal data is collected, when, why, who has access to it and how it flows within your organisation and to external parties. The Isle of Man Information Commissioner has provided good guidance on how to get started with data mapping.
Start your information gathering broadly across the business and narrow it down as you progress. Start by working with each business function, HR, Marketing, IT etc., identify and map the data they process, on who, what they do with it, how they store it and how long they keep it.
If your data map covers the information required by your RoPA you won’t need a separate document. If you do want a dedicated RoPA though, you can create your own template or use the templates for controllers and processors provided by the ICO. The format is ultimately down to you and various templates can be found via a web search. Privacy software vendor OneTrust has translated the template created by the Belgian supervisory authority for example, which can be downloaded here.
Remember creating the document from scratch is the hard part but once it’s done you have a living document which shouldn’t require the same level of work thereafter provided you keep it updated on a little and often basis. GDPR doesn’t stipulate how often you should review your RoPA stating instead that it should always be up to date. Therefore, I suggest updating the document if any process or purpose of processing changes or if new processing activities are introduced. An annual management review is also recommended.
If you need help creating you Record of Processing Activities, we can help. Please contact us for an informal chat or advice.ENQUIRE NOW