Download this free template if you are a data controller with over 250 employees. This free template Includes a spreadsheet and ROPA process diagram to orient users to the process.

View our data privacy awareness training for employees slidedeck using the above button.

Three things to note about maintaining a ROPA before you download.

Maintaining ROPA documentation can be a challenge even for experienced practitioners given the information gathering required, number of elements that need to entered and tracked on a continual basis. [Deloitte] says that “Organising records of all the data processing activities that take place within in your organisation requires some extensive effort. Especially when these kinds of processing activities take place decentralised within different departments or business units”

Deloitte identifies three needs for the process to work which includes

  • Involvement of the business and stakeholders in the process as they will play a role at the beginning of the development or design of a product, process, system, application or project. These people have the main insight into the data processing activities and will be of extreme value to create and maintain the overview. Involve the business when your organisation starts to think about the underlying process that is needed to generate these records. Make them aware of the benefits and the added value for your organisation.
  • Design (and align) a process, with clear roles and responsibilities.
    When you have your stakeholders involved, the next step is to determine the process in which the records must be obtained, checked, added to a central register and kept up-to-date. Be aware that lot of the required information will most probably already be obtained by performing Privacy Impact Assessments (PIA’s). If there is an existing supporting process, explore to what extent this new process can be aligned. This will coordinate the required effort, and will prevent the business from providing the required information twice.Also, make sure that clear roles and responsibilities are defined when the process is being developed. Think about responsibilities with regard to the collection of the required information, including the information into a centralised register and updating the information in the register when needed. Do not forget to involve other competences as well, such as IT, compliance, procurement and legal, as they could also greatly benefit from the information. Think of the contracts in light of the procurement process in case processors are (going to be) involved. The information will be of great value in settling data processing agreements.
  • Create a central register of records.
    The records that must be kept, should be stored in a centralised manner. Depending on the infrastructure of the specific organisation, explore how to support the fundamental process. In this way one centralised system will provide a full overview of the processing activities that take place within the organisation. Of course in this scenario people have to be aware of the proper technical measures, such as access and authorisation rights (not everyone should be authorised to change or alter information). The market for privacy tools is expanding rapidly, and it is good to think about the technical requirements and possibilities within your own organisation.