An organization’s record of processing activities (RoPA) refers to a requirement laid out in Article 30 of the General Data Protection Regulation (GDPR), which states, in part, that a controller must “maintain a record of processing activities under its responsibility,” including “all categories of processing activities.” A valid RoPA will be the product of efficient record keeping procedures and accountability within an organization, and the continued review and maintenance of these procedures will promote compliance with GDPR standards.
In order for a RoPA to satisfy all requirements in Article 30, an organization should first have, for its own purposes, a reliable and accurate picture of all the data it controls and/or processes, as established through regular data mapping exercises. A comprehensive record of processing activities will ultimately be comprised of everything accounted for by these exercises. A valid RoPA will contain the name and contact of the organization, as well as all parties involved in the handling of data, and their corresponding relationships (controllers or processors). It should provide reasons and methods for processing all personal data, as well as transactional history. Individuals, personal data, and third-party recipients of personal data will be appropriately and descriptively categorized in the record. It will include a history of data transfers and all relevant safeguards, as well as a description of all security measures in place across the organization, and how/where they are applied. In the most general sense, in the language of the Information Commissioner’s Office (ICO), an organization should “have an internal record of all processing activities carried out by any processors on behalf of [the] organization,” and be sure that all information is “formal, documented, comprehensive, and accurate.”
In addition to the above, the ICO recommends that a valid RoPA should provide access to supplementary materials wherever applicable. These might include records of consent, descriptions and copies of relevant contracts, privacy notices, histories of data breaches, and any other information relating to personal data that might provide an additional measure of depth and transparency to the RoPA. The lawful basis for all processing activities should also be accounted for here in detail, as well as all information relating to special category or criminal defense data.
Because so much of the information contained in a RoPA will be useful in other areas of compliance, keeping this record up to date is a particularly important aspect of meeting GDPR standards across the board. This is most easily accomplished by accurate and responsible record keeping initiatives, reviewed and corrected wherever necessary on a regular basis. In addition to practicing effective and continuous data mapping, organizations can assist themselves by maintaining familiarity with Article 30 and consulting legal resources where areas of confusion might arise.