ROPA preparation steps, record of processing activities steps

Who Needs to Maintain ROPA’s / PII Data Records?

Companies are obliged to keep personal data records on (a.k.a PII / NPI) that they maybe processing with a few exceptions mostly related to company size. US privacy Laws, GDPR, KSA-PDPL, Canada’s PIPEDA are just a few that cite the requirement for accurate personal data record keeping.
These records have a two-fold use in that record managers (data controllers) have an accurate picture of who, where and why these records exists and secondly, to satisfy regulators that your following data processing rules.

Particularly, regulators want assurance that data subjects / state residents have consented to companies using and sharing their data with full transparency.

Know What to Expect with ROPA Creation!

There are several different versions of records management templates. GDPR refers to them as ROPA’s (Record of Processing Activities) while other laws mention personal data asset registers or inventory. Many of the publicly published templates are spreadsheet based with alot of columns to fill out. These columns map to data protection principles such as purpose of processing, legal bases for processing, retention, security safeguards etc.
They will expect you to have done extensive mapping of where data is stored and processed internally and with data processors like SalesForce & ADP. Each type of record could contain up to 40 data points when you factor in linked documentation in complex environments which we’ve found to be quite consuming. Therefore we find it quite useful to do a ROPA Pre-Assessment like the one below before beginning the heavy lifting so your better prepared.

ROPA 10 Point Pre-Assessment
ROPA 10 Point Pre-Assessment Template

There is also considerable customization time with each organization as you enter parameters like physical data locations, owners, app names, retention schedules etc. Here is an example of a ROPA management system which is commonly used.

Know who Needs to Review Your ROPA Records!

Supervisory / competent authorities such as data commissoners, OAG’s and federal agencies may need to inspect them in case of an audit, legal case or in the aftermath of a data breach. Due dilligence assessments and proof of compliance may also be required for service contracts. One specific reference comes under GDPR Article 30 states that all organizations legally required to keep RoPAs which should be ready to present the record to supervisory authorities upon request. In case of an audit or in the aftermath of a data breach, supervisory authorities will likely want to establish the accuracy and completness of your record keeping at penalty of harsher fines.
Keep Your Records Updated

Keeping personal data records is part of BAU processes for companies. Existing records should be review at least annually and any time your procedures for processing information change.

In line with best practices, it should be reviewed regularly to validate it’s accuracy and changes should be logged.
It’s a good idea to keep documents that may link to your records organized in common folders for easier retrieval.

Remember incomplete / missing records can ramp up fines and other sanctions if your not prepared, so maintain a routine of regularly reviewing your RoPA / PII records.

What are the Benefits of Maintaining a ROPA / Personal Data Register?

It facilitates a prompt and accurate response to data subject requests like providing electronic copies, deletion and opt-out requests. It allows a controller to conduct risk management activities (security assessments etc) to mitigate threats.

Having these records is also a way of operating from a single source of truth, as it allows organizations to validate whether the data being collected has any value to the business or if it has served its purpose and is ready to be purged.

Know Whose Responsible for Updating These Records?

Normally, the heads of departments should be in charge of their record entries, as they often have the most insight into the processing of data within their business activities, while a DPO / records manager can supervise and support them where necessary.
It’s common in some organizations that one or two people perform the actual record updates, but the information has to reviewed by the respective department heads.


GDPR Data Controller vs Data Processor responsibilities comparison, art 10 GDPR


What Other Details Should a Personal Data Register Contain?

The name and contact details of the controller or their representative or the data protection officer. The categories of data subjects and the special categories of personal data being processed.
The categories of recipients with whom the personal data is shared, disclosed, or sold, especially recipients in third countries or international organizations.
Identification of third countries where the personal data will be transferred across borders and the documentation of suitable safeguards for the transfer.
The time period for the retention of different categories of personal data.
The description of technical and organizational security measures by the organization.

What are the Penalties for Non-Compliance?

Lack of documentation will be heavily weighted in the event of a breach in the computation of fines. Case history from federal, state and country agencies cite lack of documentation regularly in the computation of penalties.
(up to the max €20m / 4% of global annual turnover in the case of GDPR). In other Jurisdictions such as the US, fines may vary widely depending on the number of people impacted and the agencies leading the investigations. Many cases relate to lack of transparency which is a key part of the reason for having up-to-date records.

What About Data Processors?

Similar to a controller, data processors are also required to maintain proper records on behalf of the controller with the following details:

Each processor’s name and details, together with the name and details of the controller on behalf of whom they are processing the personal data.
The categories of processing are performed by the processor on behalf of the controller.
Identification of international organizations or third countries where the personal data will be transferred across borders and the documentation of suitable safeguards for the transfer..
A general description of technical and organizational security measures for the protection of the personal data being processed.

Where Do I Find Official Information on Personal Data Record Management?

Different agencies have published guidance, the Irish DPC has issued Guidance as has the UK ICO, the French CNIL the German BfDI and the SDAIA in KSA.
In California Section 999.317 of the CCPA regulations requires businesses to maintain records of all consumer requests and how those businesses responded to said requests for a period of at least twenty-four (24) months.
KSA-PDPL art 7.3 roughly maps to GDPR in it’s requirement for a ROPA which should contain “the purpose of processing, a description of categories of Data Subjects, contact details of the organization, and the expected period for which Personal Data will be retained.”

It’s important to check with your local authority what the guidance is, as there are variances in national implementations.

Where Do I Find a Records Management Template?

Follow the link here to see a commonly used records management template.