What Is a RoPA (Record of Processing Activities)?
A company may store, process, or transmit personal data for one of several business-related purposes, such as completing a credit card transaction or obtaining an employee’s address and telephone number during the onboarding process.
This type of personal data is a valuable target for hackers that must be safeguarded at all costs. What is PII data? It’s basically your online presence and information. But enacting data privacy policies isn’t just a wise business practice. Depending on your business, it may be a legal requirement.
For example, Article 30 of the General Data Protection Regulation (GDPR) stipulates that organizations that process or control personal data must maintain a thorough, written log of their data processing activities.
This is known as a record of processing activities (RoPA).
What Is A Record Of Processing Activities Used For?
A RoPA is an obligatory internal accountability document that can help an organization map out its general processing practices for personal data in accordance with data protection law and regulations.
Creating a data map, including a personal data inventory, is the first critical step down the path of compliance. For example, if a data subject makes a data subject access request (DSAR), the RoPA will help the business promptly and accurately provide the relevant information about the organization’s data practices.
If desired, a supervisory authority could request a copy of this system inventory report to determine whether the company’s processing and storage activities comply with relevant privacy regulations.
What Is Included Under RoPA GDPR?
Pursuant to GDPR Article 30 (1), every RoPA for a data controller or processor must include—wherever applicable—the following information:
- The name and contact details of the controller (in some cases, this may also include):
- The joint controller
- The controller’s representative
- Data protection officer
- The purposes of the data processing
- A description of the categories of data subjects and of the categories of personal data
- A description of the categories of recipients to whom that personal data was disclosed
- Transfers of personal data to a third country or international organization
- Expected time limit before data will be erased
- A general description of the technical and organizational security measures
Who Must Maintain a Record of Processing Activities?
Under the GDPR, your organization will be required to maintain a written RoPA if you process any data from EU citizens and have more than 250 employees. For smaller organizations, you must keep a record of processing activities if:
- The data you process could pose a risk to the rights and freedoms of data subjects
- Personal data processing activities are not occasional
- The data you process falls into a special category that reveals a person’s:
- Racial or ethnic origin
- Political opinions
- Religion or philosophical beliefs
- Trade union membership
- Health data
- Sexual orientation
- Sexual activity
- Genetic data
- Biometric data
- The data you process includes personal data relating to criminal convictions and offenses
The data controller or processor is responsible for keeping and maintaining the RoPA. That said, a common practice is to designate a data protection officer (DPO) responsible for managing RoPA Article 30 activities.
In that capacity, the DPO is free to decide how these records are kept. Excel and Google Sheets are popular tools for this. Also, there are various GDPR record of processing activities templates available. For instance, a record of processing activities examples include:
- British Information Commissioner’s Office (IC) template
- French Commission nationale de l’informatique et des libertés (CNIL) template
Is Keeping a Record of Processing Activities Obligatory?
If a data processor or controller satisfies the aforementioned conditions, you’re legally required to maintain a RoPA. According to Article 30:
“The obligation to create records of processing activities is not only imposed on the controller and their representative but also directly on the processor and their representatives as outlined in Art 30(2) of the GDPR.”
If your company is obligated to maintain a RoPA but fails to do so and/or fails to provide a complete index to authorities upon their request, they’re subject to potential fines and penalties. The severity of consequences depends on the business and its violations. Ten criteria go into this fine calculation, including:
- Nature of infringement
- Intention
- Mitigation
- Preventative measures
- History
- Cooperation
- Data type
- Notification
- Certification
- Other aggravating or mitigating factors
Once this determination is made, the violator may be assigned a fine according to one of two tiers:
- Level 1 – Up to €10 million or 2% of the annual turnover of the preceding financial year (whichever is higher)
- Level 2 – Up to €20 million or 4% of the annual turnover of the preceding financial year (whichever is higher)
DataGrail Helping You Comply with RoPA Article 30
Record of Processing Activities documentation is a compliance requirement under the GDPR. But tracing and organizing all that data is a tall task—one a data mapping platform can help accomplish.
To complete a RoPA, you need to know exactly where every piece of the relevant data lives.
That’s where a service provider like DataGrail makes the difference.
Our Live Data Map provides a blueprint of all your organization’s data, empowering you to reduce errors, save time, and minimize risk. DataGrail auto-detects and categorizes which systems contain personal data, and whenever a new third-party system is added, you receive an instant alert.
If you’re ready to maintain data integrity and automate operations with dynamic RoPA, request your free demo.
Sources:
GDPR. Records of Processing Activities. https://gdpr-info.eu/art-30-gdpr/
Office of the Data Protection OMBUDSMAN. Processing of special categories of personal data. https://tietosuoja.fi/en/processing-of-special-categories-of-personal-data
Deloitte. GDPR Top Ten #4: Maintaining records of processing activities. https://www2.deloitte.com/ch/en/pages/risk/articles/gdpr-maintaining-records-of-processing-activities.html