How do we build a ROPA?20th December 2021
Every organisation will have within its control significant volumes of personal information, and that information, or data, will be used for many varying purposes; knowing what information you hold, where and for what purpose is a legal requirement under the GDPR.
What is a ROPA?
A ROPA, which stands for ‘Record Of Processing Activities’ is simply a register of the personal data held within an organisation and how it is processed. The term ‘processing’ is widely interpreted and includes any activity from collection, editing, viewing, sharing, transferring and deleting. The ROPA must consist of an entry for any data held in an electronic format or manual records in an indexed form.
ROPA should include at a minimum:
- The names and contact details of the data controller, data processor, data controller’s representative, joint controller, and data protection officer;
- The purpose of processing personal data;
- Categories of data subjects and types of personal data being processed;
- Categories of recipients to whom the personal data has been or will be disclosed;
- Lawful basis of processing;
- Third parties who receive the data;
- General description of technical and organisation security measures related to each processing activity.
Additionally, it may be helpful to also include:
- Who has access to the information;
- Details of any DPIA or LIA (risk assessments performed);
- Retention schedules;
- Review dates;
- Details of any data incidents or breaches;
- Details of any significant risks or concerns;
- Links to data sharing or data processing agreements.
Who needs a ROPA?
Every Controller must keep proportionate records of any personal data held and the processing activities taking place within their organisation; however, Controllers with more than 250 employees must always keep a formal ROPA. The responsibility to build and maintain a ROPA applies to both controllers and processors. For those organisations who are non-UK (or non-EU if based in the EU), the responsibility is to their UK or EU representatives.
If you employ fewer than 250 people, you need only document processing activities that:
- are not occasional (e.g., are more than just a one-off occurrence or something you rarely do); or
- are likely to result in a risk to the rights and freedoms of individuals (e.g., something that might be intrusive or adversely affect individuals); or
- involve special category data or criminal conviction and offence data (as defined by Articles 9 and 10 of the UK GDPR).
Regardless of their size, most companies will be required to keep a form of ROPA as it is very uncommon for a business not to do some processing on a structural basis or to process special categories of data, especially in the context of human resources.
Building and maintaining a ROPA
The Data Protection Officer or equivalent usually manages the ROPA; however, the entries within the document is the responsibility of those individually responsible for the information assets (that is, the technical name for a data repository). The individuals accountable for these repositories of personal data are typically heads of departments, as they often have the most insight into the data processing within their business activities.
The role of the DPO, or Privacy Officer, is to ensure that the ROPA is accurate, and they should have oversight of the entries and provide support to information asset owners where necessary.
There are three crucial things you must do when building your ROPA:
- Identify processes;
- Document processing activities;
- Update regularly.
We will go through each of these in more depth.
Step one is to determine what information is being held and how it is being used (or processed). This can be achieved by conducting an audit or a data-mapping exercise. You should meet directly with key departments in your business such as HR, Marketing, Finance, Sales, Customer support etc. This will help you better understand how data is used, and you can document the details and dataflows. You will find that other departments in your business will hold necessary information about processing activities. The IT department will have information about the technical security measures, and the Legal department will keep track of data-sharing agreements.
Other relevant information can also be found in existing documents such as data protection policies, data retention policies, data protection contracts and data sharing agreements. By locating and reviewing the details of these documents, you can compare the intended and actual data processing activities.
When you are identifying each personal data processing activity, you should be able to answer the seven questions below:
- How do you process personal data?
- Why do you use personal data?
- Who do you hold information about?
- What information do you contain about them?
- Who do you share it with?
- How long do you store it for?
- How do you keep it safe?
Document processing activities
Ideally, your ROPA should be in a database or spreadsheet, but any electronic or manual form is permitted. ROPA’s are not just created and filed away to gather dust; they are living documents and must be maintained. This involves adding, removing, and amending entries as necessary, and crucially once a year, and each processing activity must be reviewed.
Depending on whether you are a Controller or Processer, this will impact the content of the and structure of the ROPA. The ROPA of a Controller is usually more comprehensive than that for Processors, and this is because controllers must include more information.
The complexity and structure of your company will determine the most suitable course of action for creating a ROPA.
When building your ROPA, you must ensure that it is structured in a manner that fulfils all obligations under:
- Article 5 (2) GDPR (accountability)
- Article 24 GDPR (controller’s responsibilities under the GDPR)
- Article 30 GDPR (Records of Processing Activities)
To avoid unnecessary documents and duplication, you can use your company’s data retention and protection policies in the ROPA.
Please Note: A Data Protection Authority can demand to see your ROPA, and if you should have one and have not, this is a serious matter, especially if a data breach has taken place.
Your ROPA must represent the current situation of your data processing activities and, therefore, must be updated regularly, as mentioned previously, at least annually. Updates must be made if anything changes to the processing conditions. This can include new categories, changes to the purposes of processing, and changes in details of third parties who will receive the data.
To keep your ROPA up to date and accurate, you should regularly review the information you process.
You can find out more about how to build a ROPA on the ICO website, or if you are unsure with anything we have mentioned in the blog above and feel that you would benefit from the peace of mind and additional support available working with specialists in this field, please contact us here or take advantage of your complimentary 30-minute consultation.