In addition to being a requirement under Article 30 of the GDPR, the Record of Processing Activity (RoPA) can also be a key data protection compliance driver for your organisation. In previous articles, we have provided guidance on the specific requirements of Article 30, its relevance to organisations, the implications of non-compliance and the steps that can be taken to create and maintain an accurate record of processing activities. In this article, we will explore the management of the RoPA as a distinct project within your organisation. A successful RoPA implementation, as well as aligning with mandatory data protection requirements, will help establish robust organisation-wide good data management practices.
Recommendations to Project Plan your RoPA Activity
The GDPR mandates that controllers who are within scope of the Article 30 requirement (exemptions apply to micro, small and medium sized organisation with fewer than 250 employees) must maintain a record of processing activities under their responsibility. The RoPA serves as a record of all the processing activities involving personal data in which the organisation engages. In this regard, depending on the context and size of the organisation, building a complete list of processing activities can be a complicated and time-consuming endeavour, particularly for medium to large organisations.
The following sets out the steps involved in planning and delivering a RoPA project plan:
Step 1 – Preparation of RoPA Template
Organisations should prepare a RoPA template in a granular and logical manner that will facilitate recording and mapping the entirety of the lifecycle of data associated with each processing activity undertaken. Larger organisations may wish to create individual RoPAs for each department or business unit. The core requirements of a RoPA, as set out by Article 30 of the GDPR, include the recording of information including, but not limited to:
- the purpose of processing;
- categories of data subjects involved;
- categories of data recipients;
- applicable retention periods; and
- whether data may be transferred to third countries.
Beyond these core data points, organisations should consider using the opportunity that conducting the RoPA activity provides to expand on these basic RoPA requirements, enabling the exercise to be a key compliance driver. Such expanded data points may include links to Data Processing Agreements (DPAs) and Data Protection Impact Assessments (DPIA’s) and the identification of information systems responsible for processing the data. Importantly, the RoPA should be structured in a manner that facilitates the data controllers’ obligations under Article 5(2) (‘accountability’), Article 24 (‘Responsibility of the controller’) and Article 30 (‘Records of processing activities’) of the GDPR.
Step 2 – Identification of Departments/Key Stakeholders and Initiate Engagement
In order to ensure an efficient RoPA rollout, organisations should identify key stakeholders across business units and departments. The selected individuals should be well-placed to identify and discuss the various processing activities that relate to their business area. Developing these key contact points will enable the mapping, planning, prioritisation and tracking of the RoPA reviews.
Obtaining the buy-in of senior management is essential in ensuring:
- the compliance exercise is supported by key stakeholders;
- appropriate resourcing is in place, and;
- staff across the organisation are engaged in the process.
Consider issuing guidance to key departmental stakeholders ahead of the RoPA engagement. This guidance can set the expectations for the RoPA review, such as explaining the process, its purpose, the requirements, and the benefits, as well as providing an estimation of the duration of the exercise and its expected output.
Step 3 – RoPA Review
The RoPA review can be carried out in person, remotely or via questionnaire. However, meeting directly, whether in person or via video call, will help gain a better understanding of the day-to-day processes undertaken by each business function and can contribute to greater efficiency.
In conducting the review with key stakeholders, the following questions can be considered:
- Which business process take place within the department?
- Why and how is the personal data processed?
- Whose personal data is held?
- What information is held about them?
- With whom is information shared and are data sharing agreements in place with any third parties involved?
- Is personal data transferred outside the EEA?
- How long is the personal data stored?
- How is the personal data kept secure?
To enable completion of the RoPA review, engagement may be required with other business functions such as the Legal, Information Governance or IT, to locate documentation such as data processing agreements, policy and procedure documents or to seek clarifications regarding technical safeguards.
Step 4 – Finalising your Review
To support the Data Protection Officer with monitoring the organisations compliance with the GDPR, designated departmental stakeholders may be required to dedicate time to undertake RoPA activities outside of their usual day-to-day responsibilities. Whilst some stakeholders may be tempted to see RoPA reviews as a “tick box activity”, once the benefits are clearly communicated, the vast majority are keen to know the outcome of their review and look for opportunities to contribute to developing a more robust record.
In this regard, upon finalising the review for each business function, it can be helpful and indeed, good practice, to formally follow up with stakeholders, detailing the outcome and any relevant findings of the review. The outcome, as well as providing a summary of the review, may identify steps that need to be taken as a result of the exercise or result in the issuing of guidance for staff to facilitate better data management. Such an approach further demonstrates compliance with GDPR’s accountability principle. As the RoPA is an ongoing exercise, the next review date should be planned with stakeholders to ensure that the RoPA is kept up to date for the department or business unit.
Beyond Article 30 – Data Protection Compliance Plan
Whilst it is a mandatory requirement for most data controllers and processors to maintain a record of processing activities, the outcome of the RoPA activity promotes accountability. In addition, it can also be used as a tool to provide greater transparency and a deeper insight into the organisations data and data management practices. The outcome of your review can thus be utilised to drive and inform your ongoing data protection compliance program and promote greater accountability through the identification and proactive planning of:
- Departmental or organisation-wide review of policies, process, and procedures;
- A review of internal or external data sharing practices;
- The need to review and ensure implementation of data retention schedules;
- The implementation of strategies or working groups to address and implement improvements to the handling and management of data subject rights requests;
- Departmental or organisation wide training and awareness exercises;
- To conduct assessments to, identify, assess and mitigate risks;
- Improved reporting of key performance indicators.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience advising and facilitating organisations in planning and delivering robust Record of Processing Activity projects to meet the requirements of Article 30 GDPR. For more information, please feel free to contact our advisers, who would be more than happy to help you with your RoPA project.