What is it? Records of Processing Activities (ROPA)

Article 30 of the GDPR requires your company to have a records of processing activities.

What does ropa mean

Introduction

Have you come across the term Records of Processing Activities (RoPA) before? Perhaps you know it's linked to GDPR standards. But you are unclear about the specifics, such as what it precisely involves, how to create one, and its benefits for you? This article aims to guide you through these questions.

We'll delve into the details of GDPR Article 30, focusing on the content and appropriate times to use RoPA. To make the information as accessible as possible, the article includes practical examples.

Concluding, I'll share some best practices for creating and maintaining a RoPA effectively. With these tips, you can ensure a solid start when preparing your business's Record of Processing Activities.

What does Records of Processing Activities (RoPA) mean?

Your Record of Processing Activities (RoPA) is a report. It outlines how personal data is processed in your business. The RoPA is also known as an Article 30 record.

A processing activity details how personal data is handled within the company. For example, consider your payroll process. You document who the personal data is about, the purpose of processing, and what data is processed. You also note any third parties the data is shared with, like a data processor. This could be your payroll system provider or an external accountant.

Article 30 of GDPR lists what information from your processing activities needs recording. Hence, RoPA becomes a report that offers an overview of all processes involving personal data processing. With relevant information as Article 30 requires.

Read more: How to implement GDPR in 10 easy steps

Your RoPA should include the following points:

  • The name and contact details of the data controller, i.e., your business responsible for processing the personal data.

  • The purposes of your processing.

  • A description of whose data is processed (categories of data subjects). And what personal data is processed on these individuals (categories of personal data).

  • The recipients to whom the personal data is sent, which could be processors or other controllers.

  • The geographical location of these recipients. I.e., if the transfer is to other EU countries, secure third countries, or insecure third countries.

  • The deletion periods for how long you store the data subject's personal data.

  • Technical and organisational security measures.

Your RoPA must contain this information. There's no specific format required, but the record must be clear and easy to read. It might be organised in a table with relevant information in separate columns and your processing activities listed in rows.

What is a RoPA used for?

A Record of Processing Activities (RoPA) serves a primary purpose: to provide an overview. It should be easy and quick to understand a RoPA. While offering insights into how personal data is processed and identifying any gaps. Thus, your RoPA lays the foundation for much of your further GDPR work.

GDPR compliance involves more than maintaining a RoPA. Yet, it is a crucial part of your documentation. For instance, it is from the RoPA that you can delve deeper into your documentation. From there, it's beneficial to assess your legal basis for processing. Whether you have data processor agreements in place with all relevant processors, etc.

Having a robust RoPA simplifies your ongoing GDPR efforts. The RoPA serves as your baseline, upon which you can build further. It also plays a role in creating your privacy policy and conducting risk assessments (and DPIA). which are key components of a sound GDPR compliance process.

Information from your RoPA is incorporated into both your privacy policy and risk assessments of the data subject. This way, the work related to these aspects becomes easier. As a lot of the information can be directly taken from your documented processing activities.

Read more: What is a Risk Assessment Matrix?

Furthermore, the RoPA is a legally required document. That you must be able to present during, for example, an inspection visit from the Data Protection Authority. Thus, you must also be able to export and hand over the document in a format that is readable and understandable by third parties (Article 30(4) of GDPR).

Who needs RoPA?

There are two scenarios where a Record of Processing Activities (RoPA) is needed. The first applies to all companies, and the second to those companies acting as data processors for other data controllers. Earlier, I described a RoPA under GDPR Article 30.1, concerning data controllers. If you also serve as a data processor, it's pertinent to focus on the RoPA for data processors under Article 30.2.

As a Data Controller

If your company processes personal data of employees and/or customers, you need to maintain a RoPA under Article 30.1. It's a requirement for all businesses to keep this record. And since nearly every company falls under this bracket, you'll likely need to maintain one too.

An example is storing information about your employees, such as through employment contracts. These contracts contain personal data, including, for example, the employee's name. This process must, therefore, be part of your record. When it comes to records, there is no distinction between processing general personal information (like contact details) and sensitive personal data (like health information); both must be included in your RoPA.

As a data controller, you must always maintain a RoPA under Article 30.1.

As a Data Processor

A RoPA under Article 30.2 is only required for companies acting as data processors. For instance, if you're an IT supplier providing IT systems to your clients. You process personal data on their behalf and have entered into data processor agreements with them. In this case, you must keep a separate RoPA under Article 30.2. This record should include:

  • Name and contact details of the data processor (you).

  • The categories of personal data you process on behalf of the data controller (the client).

  • Whether this data is transferred to a third country, such as the USA.

  • A description of the technical and organisational security measures.

You need to prepare such a record for each client for whom you process data. Thus, it's crucial to ensure that the record is segmented by your clients. With a clear delineation of the processing activities you perform on behalf of each.

Record of Processing Activities (RoPA) and GDPR Compliance

As previously mentioned, your Record of Processing Activities (RoPA) is crucial for your GDPR compliance efforts. You can't achieve GDPR compliance without having your RoPA in order. Moreover, you need to ensure that your RoPA is kept up-to-date, which may involve:

  • Changes within your company and its processes. Are you introducing a new process that involves personal data? This process must be recorded in your RoPA. If changes occur in existing processes, affected processing activities must be updated to reflect reality. Hence, the record should be regularly validated and updated based on how your company evolves.

  • Legal updates: If there are changes in GDPR legislation affecting your RoPA, you must incorporate these changes. Both into your processing and update your record to reflect this. For example, if a deletion deadline you've set is no longer deemed enough. You need to adjust your procedures and update the record .

Being GDPR compliant isn't "just" about maintaining a record. Importantly, what you document in your RoPA must also be adhered to in practice. If you list several security measures. You need to ensure these are implemented within your company. Otherwise, the record is merely a piece of paper. You achieve full compliance only when you document and implement what's documented in your business.

What are the benefits of RoPA?

There are numerous advantages to maintaining a Record of Processing Activities. For instance, it can serve as the foundation for your ongoing GDPR work, as mentioned before. Another benefit is that a well-maintained RoPA acts as solid proof of your organisational control.

An updated record that contains all necessary information and can be presented promptly demonstrates compliance effectively. Conversely, if assembling the record takes a considerable amount of time. It may raise suspicions about other uncontrolled areas within your company.

For example, you may be asked to present your RoPA during an inspection visit. In such cases, being able to quickly prove you have the required documentation in order is a significant advantage. It's plausible that the RoPA would be the first item inspectors ask to see.

An updated and well-organised RoPA can also interest other third parties. Such as during audits or in the context of a business sale. There, a keen interest in seeing evidence of your GDPR work exists. And showcasing an up-to-date, streamlined RoPA indicates you have your affairs in order.

What are some best practices to create & maintain RoPA?

Article 30(3) of GDPR specifies that you must be able to present your Article 30.1 and Article 30.2 Records in electronic format. Thus, the first point on a "best practices" list would naturally be to keep your RoPA electronically.

This might be in an Excel sheet, a Word document. Or on a platform designed for documenting and maintaining records.

Read more: What is the difference between Excel and a dedicated GDPR tool

The next step is to make it clear and "personal". Create a RoPA that reflects your company and the processes that are natural to describe for your business. This will likely also make the RoPA the easiest to understand. Moreover, it allows you to communicate more clearly with colleagues. Focusing more on work processes than GDPR per se.

Ensure you regularly update your RoPA. It's regrettable to spend a lot of time crafting your RoPA, only to store the Excel file in a folder on your computer and forget about it. If the record sits for years and collects dust, it probably will no longer represent reality. Do yourself a favor by having a process where you periodically review your documentation of processing activities. To see if updates are needed.

Read more: Use the compliance task management to notify you and colleagues on GDPR tasks

Make the RoPA a collaborative effort. It's crucial to have someone responsible for the record. But it's beneficial to have several colleagues contribute to the documented processing activities. Likely, the marketing department employees know best which personal data they handle when, for example, sending out newsletters. Therefore, make it natural to discuss processing activities, interview employees, or use a collaboration platform. So colleagues can provide updates on the processing activities they are responsible for.

With the .legal compliance platform, Privacy, we've streamlined this process. Here, we offer, among other things, the ability to document your processing activities. Delegate tasks to colleagues. Set up validation flows and reminders. And actively use the RoPA in, for example, your risk assessments.

And most importantly, you can retrieve your RoPA with just a few clicks. And export it in a format that can be presented to, for instance, an inspection authority.

Watch our short presentation of the RoPA module in Privacy - press the picture to play video:

ropa-productipdate

FAQ

Is a Record of Processing Activities (RoPA) Required?

Yes, as a data controller, you must be ready to present a Record of Processing Activities (RoPA) under Article 30.1 at any request. Acting as a data processor too? Then, you also need to be prepared to show a RoPA under Article 30.2 upon request.

Is a RoPA the Same as Data Mapping?

Your data mapping forms the basis for your RoPA. You're required to keep a record of your processing activities, and data mapping precisely documents these. Thus, your RoPA becomes a defined report showcasing relevant information from your data mapping, aligning with GDPR standards.

Read more: How to make your GDPR data mapping simple 

What's the Format of a RoPA?

There's no predefined format for a RoPA. However, requirements exist regarding the information it must contain, and it must be deliverable in an electronic format. Records are most commonly executed in Excel or on a platform designed for this purpose, facilitating GDPR compliance and data privacy.

What is a Risk Assessment in a RoPA?

GDPR adopts a risk-based approach to data protection. According to GDPR, conducting a Data Protection Impact Assessment (DPIA) is mandatory. This involves risk assessments of your processing activities. Therefore, your RoPA lays the foundation for these assessments, with the information it holds being critical for evaluating potential risks, ensuring RoPA data protection, and enhancing RoPA privacy.

Read more: How to make a Data Privacy risk assessment

 

Processing activities

.legal compliance platform Start your compliance journey today

Curious to try it yourself? Experience our free compliance platform and kickstart your compliance journey today.
  • No credit card needed
  • Unlimited time on Free plan
  • No commitment
+270 large and small companies use .legal