What is a ROPA, why you need one, and how to make the process easier

Working toward GDPR compliance means taking inventory on the data you collect and process. You’ve mapped your data, have a catalog of impact assessments, but now you need a way to present it all for regulators to review.

As far as the general data protection regulation (GDPR) is concerned, every piece of data processing you do needs a record, and those records are stored in a record of processing activities (ROPA). Regulators use a ROPA to get a full picture of your data processing. It allows them to see every individual instance where personal information is processed, why, what you do with it, and how you manage it. This collection of records is a large part of what regulators like to call your documentation.

In this article we will look at who needs to complete a ROPA, the structure of a ROPA, and the types of activities you should record—spoiler: it’s all of them.

Do you need a record of processing activities?

While many provisions of the GDPR apply to any company handling the personally identifiable information of EU citizens, a ROPA is only required from organizations with more than 250 employees.

That said, there are exceptions that will require smaller organizations to keep a ROPA. Any organization that does any of the following is affected:

  • Any processing that is likely to result in a risk to the rights or freedoms of the data subjects.
  • The processing is not occasional, meaning the data is processed and used consistently.
  • The processing includes special kinds of data (found in Article 9), such as those related to an individual’s religious beliefs, biometric or health data, racial or ethnic information, or any data related to a criminal investigation.

Like with data protection impact assessments, it is best to complete a ROPA if you are unsure whether your data processing or company size qualifies you. On top of that, there are many benefits to having the processes involved in building a ROPA, even if you don’t need one.

 

The structure of a ROPA

The exact structure of your record of processing activities may differ from other companies of your size or industry. While there is not a set format, some member states of the EU provide guidance templates that can help you get started. These are often spreadsheets that you manually fill in, update, and provide to regulators when requested. For example, the UK privacy commissioner provides templates for both processors and controllers.

A record of processing activities should include, at minimum, the following:

  • Contact details for any applicable parties, be it the controller, stakeholder, DPOs, or joint controllers.
  • The purpose and lawful basis for processing the data.
  • The categories of the individuals (such as employees, customers, etc) whose data is collected.
  • The categories of the personal data collected.
  • Details about the recipients of any personal data, if it is shared.
  • Transfer details, particularly when data moves across countries, and any safety measures that are put in place to protect the data.
  • Retention schedules, such as short-term and long-term storage timelines and protection plans.
  • An overview of the security measures, both technical and otherwise, that safeguard the data.

With these questions answered, you will also want to include specifics related to individual GDPR requirements, links to contracts, data breach details, privacy policy notes, details about your DPIA and links to the assessment for that data point, and any details that make it easy for regulators to see your commitment to data privacy.

While information will differ slightly depending on whether you are the data processor or data controller, both groups need to create ROPAs.

The personal data matters

Our software stacks process more data than ever, but for the purposes of GDPR you want to focus on the personally identifiable information—specifically PII for GDPR—that you collect, process, or store. This is any personal data that you handle for data subjects, individuals, customers, or even employees within your organization.

We dive into all the types of personal information in our article on personal information and PII, but here are common examples of linked data:

  • Unique identifiers like personal IDs, driver’s license numbers, membership numbers, etc.
  • Full names, or names that can lead to the identity of an individual data subject.
  • Contact details, such as addresses, telephone numbers, or email addresses.
  • Banking or credit card numbers

Less common, but linkable data should also be included in your ROPA:

  • Gender
  • Location
  • Age
  • Job history or job titles
  • Search history
  • Geolocation data
  • Race or ethnic background

Ensure that every piece of data that is linked, or could be linked to an individual is accounted for. Don’t forget less-obvious identifiers like cookies and one-off forms from your marketing website.

Additional benefits of a ROPA

While you may be legally required to complete a record of processing activities as part of GDPR compliance, there are additional benefits that come with completing one.

Data inventory and data flow mapping

First, it ensures that your organization can view the scope of its data collection activities in a single place. You may find that multiple teams are handling the same or similar processing activity in multiple parts of your codebase. You can even identify overlap between data processors that can be simplified. A ROPA might initially be the goal, but one artifact of assembling one is building an up-to-date data inventory and data flow map. Automating the data inventory process can help keep your inventory and data flow map up to date, even beyond the needs of a ROPA.

Improves DevSecOps practices

This style of self-audit can also reveal areas in your security measures that may be lacking. Audits can help find holes in access control, data retention practices, and even inconsistent or outdated encryption techniques. If you wrap the requirements and structure of a ROPA into your software development cycle, you can improve your DevSecOps as a whole—even if you aren’t required to have a ROPA for GDPR.

Better inter-team communication

The organization-wide nature of collecting data necessary for a ROPA can help improve your business processes. Many companies believe that a DPO can gather all the necessary information on their own, but the truth is that it is a time-consuming process that requires the input of every department that touches personal data. Creating a ROPA, and setting up a process for keeping it up to date, improves the ways departments within your business communicate. We find that the documentation that is created around ROPA management helps all stakeholders better understand how data is used within an organization. It also helps push your company toward a privacy by design mindset.

Privacy and DevSecOps future-proofing

Even if you aren’t required by the GDPR to complete a ROPA, it is still an excellent way of preparing for future privacy regulation or adjustments to existing laws. While it is an internal tool, it can help improve transparency within the company by demonstrating a commitment to privacy among employees. Developing a culture around privacy helps ensure that you protect your customer’s personal data, and projects the importance of data protection to all of your employees.