Following the ‘Ask the DPC anything’ webinar hosted by the Irish branch of EADPP – European Association of Data Protection Professionals, it has been suggested that the Irish Supervisory Authority, the Data Protection Commission (DPC) is planning a “deep dive” review of organisations’ documentation of their processing activities, across a range of sectors. The DPC plans to publish their findings for the review. Article 30 of the GDPR ‘requires organisations that process personal data to maintain a record of their processing activities (ROPA). Moreover, there is an obligation to make this available to your supervisory authority upon request. This article provides guidance on the specific requirements of Article 30, its relevance to your organisation, the implications of non-compliance and steps you can take to create and maintain an accurate record of processing activities.
Our increasingly data-driven world and advancements in technology, big data and artificial intelligence has resulted in an exponential growth in data that is spread across diverse ecosystems and stored in many formats, such as paper, electronic and audio. As such, achieving visibility over personal data and having an accurate data inventory map can be a challenge. Moreover, ROPA’s found not to meet requirements of Article 30 can result in heavy fines. For example, a fine of €17 million was issued by the DPC to Meta, Facebook’s parent company following the notification of 12 data breaches. A Meta spokesperson stated the fine was a result of (poor) record keeping practices from 2018, rather than the breaches themselves.
Further, the National Data Protection Commission (CNIL) imposed a €50 million penalty to Google regarding the infringement of essential principles of the GDPR, including transparency, information and consent.
A well maintained ROPA should assist in providing a clear picture of the data an organisation processes, including information on:
- What processing activities the organisation undertakes;
- Why they process personal data;
- Whose data they process;
- What kinds of or categories of data they process;
- Who data is shared with;
- How long do they store the data;
- When they should delete this data;
- What measures are used to protect the data.
In short, record-keeping via a formal documented, comprehensive, and accurate ROPA based on data mapping that is regularly reviewed, demonstrates an organisation’s commitment to the GDPR’s accountability principle.
Benefits to your organisation?
Aside from complying with the GDPR, an accurate ROPA provides data controllers and data processors with visibility of an organisation’s processing activities in one place and in doing so provide a base to:
- Implement data protection by design and by default;
- Identify the need for creating or updating processes and procedures;
- Identify Data redundancies;
- Locate records within the scope of DSARs and individual rights requests;
- Identify gaps in privacy notices;
- Identify and manage potential data protection risks;
- Document cross-border transfers and appropriate safeguards in place;
- Document the security measures protecting personal data;
- Record details of data processors, agreements and DPIA’s.
Article 30 – Develop, Implement and Roll-Out Recommendations
The structure of your record of processing activities may differ from organisation-to-organisation dependant on its size or industry. In the absence of automation tools, guidance templates such as the one from UK Information Commissioners Office (ICO) can help whether you are a processor or controller.
In preparation of your data mapping activity, consider devising a project plan that identifies the strategies and actions that may be required to influence and promote practical, productive stakeholder involvement such as:
- Obtaining management buy-in and making a case stating the benefits of Article 30 and the potential implications of not having one;
- Providing an overview of the benefits to the organisation;
- Planning resources and timelines;
- The identification and engagement of key stakeholders to initiate interviews;
- Collecting information from the stakeholders via an assessment sheet/ROPA template;
- Reviewing the findings to establish gaps;
- A plan to remediate the gaps;
- Linking PIAs/DPIA’s and Data Processing Agreements to your ROPA
- A plan to review the processing activities based on risk areas. For example:
- For high-risk processes, follow a quarterly review process;
- For medium risk, a bi-annual review ;
- Low risk activities can be reviewed on an annual basis.
Any organisation or business collecting and processing personal data should ensure that their data protection practices are being consistently revised and kept up to date with the latest guidelines.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience consulting organisations and other entities in advanced data management and compliance as well as supporting experts working within research, businesses or regulatory bodies to advance knowledge and practice on responsible data practices. For more information, please feel free to contact our advisers, who would be more than happy to help.