What is a Record of Processing Activities (ROPA)?
If you’ve been involved with (or even responsible for) your businesses GDPR management, it is likely that you have come across the acronym ROPA (or ROP) before. But what exactly is a ROPA and what does your business need to do with regards to it?
What is an ROPA
A Record of Processing Activities is an internal document that acts as register of your business’ personal data processing activities. It should be a singular document in which all departments provide input to, and fully list all processes in your business that involve processing personal data.
Is a ROPA a legally required document?
A ROPA is a legally required document unless your business meets certain criteria. However it is strongly recommended that, regardless whether it is a legal requirement, all businesses that are processing some form of personal data look to implement a ROPA document.
A ROPA document NOT a legal requirement for your business if one of the following criteria are met:
- You have under 250 employees.
- Personal data processing is done only occasionally and does not include any special categories of data.
What is the difference between regular and occasional data processing?
The best way to answer this question is to look at your core business activities.
Do you require the processing of personal data to complete your core business activities? For example, an online retail business will require the processing of customer personal data to fulfill orders. This would classify as regular data processing.
What does my ROPA need to contain?
Your ROPA document is legally required to contain the following categories of information:
- Your organisation’s name and contact details, whether it is a controller or a processor (and where applicable, the joint controller, their representative and the DPO);
- The purposes of the processing;
- A description of the categories of individuals and of personal data;
- The categories of recipients of personal data;
- Details of transfers to third countries, including a record of the transfer mechanism safeguards in place;
- Whether any special category data is being processed
- Retention schedules; and
- A description of the technical and organisational security measures in place.
ROPA best practice
Whilst there are legal requirements for ROPA, it is recommended that all organisatons adopt the following best practice:
- Undertake a data mapping exercise to discover what personal data flows through your organisation and your third-party suppliers. By involving stakeholders across all departments you should draw up a list of processes. In each of these processes you should identify the different types of personal data that you are processing, if/how you are collecting this data and where you are storing it, if/to whom you are transferring this data, and the lawful basis and purposes for this processing.
- Assign Business Process Owners (BPOs) who ensure data maps and ROPAs are up to date.
- Consider including additional fields into your ROPAs such as: a. information required for privacy notices, such as the lawful basis for the processing and the source of the personal data; b. Records of consent; c. controller-processor contracts; d. the location of personal data; e. DPIA reports; f. records of personal data breaches;
- Update your ROPAs to take into account the latest legislation. Effective March 2022, Data Transfer Impact Assessments (TIAs) are a legal requirement for restricted data transfers to 'non-adequate' countries? Add a TIA field to your ROPA.
- Update your ROPAs whenever a process changes, such as such as the processing new categories of personal data.
- Add a regular data mapping and ROPA review into your governance schedule.
If completed and managed correctly, you ROPA document should act as the foundation of your business’ privacy framework. By storing all your GDPR required information in one place, your business can better manage and fulfil its GDPR requirements as well as make your privacy manger/data protection officer’s life much easier!