Who Does a ROPA Apply to?
if you are a Data Controller with over 250 employees or you meet one of the following conditions.
- Your processing is likely to result in a risk to the rights and freedoms of data subjects.
- You process data frequently.
- You process special categories of personal data, including race, gender, sexuality, religion, and others.
- You process personal data relating to criminal convictions and offenses. i.e. article 24 of the Law Enforcement Directive (LED).
- You are subject to Data Protection Acts of 2018 / UK GDPR or other national data protection acts which require records management under article 10.
Are ROPA’s Difficult to Manage?
There are different versions of ROPA’s (Record of Processing Activities) out there which are mostly spreadsheet based with alot of columns to fill out. These columns map to data protection principles such as purpose of processing, legal bases for processing, retention, security safeguards etc. This can take some time to setup as you try to familiarize yourself with the format, work with raw data and fill out each cell manually. There are some forms based versions such as this ROPA Download which can speed up the process and log record changes automatically.
Who Needs to See a ROPA?
Article 30 states that all organizations legally required to keep RoPAs should be ready to present the record to supervisory authorities upon request. In case of an audit or in the aftermath of a data breach, supervisory authorities may ask you to submit additional evidence. Additional information may include records of consent, privacy policies, contracts, and other relevant data.Article 30 states that all organizations legally required to keep RoPAs should be ready to present the record to supervisory authorities upon request. In case of an audit or in the aftermath of a data breach, supervisory authorities may ask you to submit additional evidence. Additional information may include records of consent, privacy policies, contracts, and other relevant data.
How Often Does a ROPA Need to be Updated?
To comply with GDPR, your organization must keep your RoPAs up-to-date. Any time your procedures for processing information change, you should update your record of processing activities.
In line with best practices, it should be reviewed regularly to validate it’s accuracy and changes should be logged.
What are the Benefits of Maintaining a ROPA?
It facilitates a prompt and accurate response to potential data subject requests when the information is readily available while establishing an efficient data erasure schedule to avoid a bulk of unnecessary personal data. It allows a company to identify future possible risks and take steps to mitigate them.
Having a ROPA is a way of pperating as a single source of truth, as it allows organizations to validate whether the data being collected has any value to the business or if it has served its purpose and is ready to be purged.
Who Updates a ROPA?
Normally, the heads of departments will be in charge of the ROPA, as they often have the most insight into the processing of data within their business activities, while a DPO can supervise and support them where necessary.
What Other Details Should a ROPA Contain?
The name and contact details of the controller or their representative or the data protection officer. The categories of data subjects and the special categories of personal data being processed.
The categories of recipients with whom the personal data is shared, disclosed, or sold, especially recipients in third countries or international organizations.
Identification of third countries where the personal data will be transferred across borders and the documentation of suitable safeguards for the transfer.
The time period for the retention of different categories of personal data.
The description of technical and organizational security measures by the organization.
What are the Penalties for Non-Compliance?
Record keeping is a key component of GDPR and lack of documentation will be heavily weighted in the event of a breach in the computation of fines (up to the max €20m / 4% of global annual turnover. Most GDPR cases relate to lack of transparency which is a key part of the reason for having a ROPA.
What About Data Processors?
Similar to a controller, data processors are also required to maintain ROPA on behalf of the controller with the following details:
Each processor’s name and details, together with the name and details of the controller on behalf of whom they are processing the personal data.
The categories of processing are performed by the processor on behalf of the controller.
Identification of international organizations or third countries where the personal data will be transferred across borders and the documentation of suitable safeguards for the transfer..
A general description of technical and organizational security measures for the protection of the personal data being processed.
Where Do I Find Official Information on ROPA’s?
Different agencies have published guidance on ROPA’s, the Irish DPC has issued Guidance as has the UK ICO, the French CNIL and the German BfDI
It’s important to check with your local authority what the guidance is, as there are variances in national implementations of GDPR.