The Data Protection Commission (DPC) has published a guidance document to assist controllers on how to approach the development of the Record of Processing Activities (RoPA) required under Article 30 GDPR. Prior to the publishing of this guidance document, the DPC conducted a RoPA sweep involving 30 organisations across the public and private sectors in Ireland. The guidance is a result of the findings and examinations from this sweep, which have not been made public.
This article will consider the compulsory elements of a RoPA as per Article 30 GDPR and will also outline the good practices supported by the DPC. Lastly, the article will also provide certain practical means towards achieving and maintaining compliance in regard to RoPAs.
What is the importance of a RoPA?
A RoPA, as its name suggests, is a repository of the processing activities that are carried out by an organisation, and it often takes the form of a word document or an excel sheet. It is one of the most essential documents that help to demonstrate compliance with the accountability principle. Additionally, developing a RoPA also contributes to a data protection by design approach by enriching the privacy and data protection culture within an organisation.
Supervisory Authorities have the power to request a RoPA for the purposes of investigations. In the case of DPC, the guidance mentions that an organisation will be provided a notice of ten days for providing access to its RoPA.
Thus, Trilateral Research recommends that all organisations maintain a RoPA as good practice to mitigate regulatory risks. However, the type of RoPA will depend on the role of an organisation in the processing activity (i.e. controller or processor) as described by Article 30(5) GDPR. The following section will outline certain compulsory elements of a RoPA.
Compulsory Elements vs Desirable Elements of a RoPA
According to Article 30 of GDPR, there are compulsory elements of a RoPA. These align with certain fundamental questions like who, what, why, when, where, and how about the processing activities, including the following:
- Name and contact details of the controller, where applicable joint controller, the controller’ s representative and the Data Protection Officer. (who is responsible?)
- Purpose of the processing activity. (why is the activity being carried out?)
- Description of the categories of data subjects and the categories of personal data. (what personal data is being processed?)
- Categories of recipients to whom the personal data have been or will be disclosed, including recipients in a third country or international organisation. (i.e. with whom will the data be shared)
- Transfers to a third country or an organisation by identifying the name of the country or the organisation. (where is the data processed?)
- Retention Periods envisaged i.e. stating the precise retention period rather than adding a hyperlink or mentioning another policy. (when to delete?)
- Description of the technical and organisational measures. (how is data kept secure?)
Additionally, the DPC recommends the following additional elements within a RoPA:
- Article 6 GDPR lawful basis for processing of personal data
- Article 9 GDPR basis for processing special category data
- Whether a data breach has occurred in respect of the processing activity
- The transfer mechanism (if applicable).
- Risk rating that an organisation has assigned to the processing activities
While identifying the essential and recommended categories of elements, the DPC noted the importance of ensuring that the compulsory elements are clearly differentiated from the desirable elements. Additional good practices, as recommended by the DPC, will be discussed in the following section.
Good General Practices and their Practical Implementation
The DPC notes that the applicability of Article 30 implies the “maintenance” of a RoPA, it is this term that the DPC has sought to elaborate upon through following good practices:
- Maintain a living RoPA: Ensure that the RoPA is kept up to date by continuously updating it and presenting the latest position on the organisations processing activities.
- Maintain an explanatory RoPA: Ensure that the RoPA itself is accompanied by explanatory notes that will detail steps that can be repeated and followed by employees in charge of maintaining the RoPA (definitions and guidance can help for those less familiar with data protection)
- Maintain a collaborative RoPA: Ensure the organisation as a whole participates in developing and maintaining the RoPA in collaboration with the DPO.
- Maintain a structured RoPA: Ensure that the RoPA is broken down and structured according to different business units or functions with the organisation.
- Maintain a balance between compulsory vs. desirable elements: Ensure that the RoPA is not seen as a checklist exercise. Instead it should be a tool to improve and monitor data protection compliance on a regular basis.
The good practices discussed above may appear to be daunting, however the DPC recommends the following practical means to achieve them:
- Internally setup review dates or weeks and identify key team members from the relevant business units to participate in updating a RoPA. Mention such review dates and weeks into the annual compliance reports to ensure continuity.
- Include within the RoPA a document or internal guidance containing:
- Definitions of key terms
- Version control table
- Explanatory notes on the available lawful basis (both Article 6 and 9)
- Dropdowns menus and filters could be used to increase coordination within the ROPA and to enable locating information
- Easy to find contact details for the DPO in case any queries arise
- Structure the document to ensure ease of use and navigation throughout the RoPA by including additional tabs or sheets within the document, if/ as needed.
The guidance published by the DPC is an excellent document to raise awareness and set industry standards in regard to the RoPA, as well as to provide clear suggestions from the most practical perspective. Despite the focus on Ireland, these recommendations are closely aligned with the GDPR and represent good practice no matter what jurisdiction within which an organisation is operating. Trilateral’s Data Protection and Cyber-Risk Team has significant experience advising and facilitating organisations in planning and delivering robust RoPA to meet the requirements of Article 30 GDPR. For more information, please feel free to contact our advisers.