Who Needs to Maintain ROPA’s / PII Data Records?
Follow our steps to performing a ROPA to maintain compliance with GDPR and other privacy laws. Companies are obliged to keep personal data records on controlling and processing personally identifiable information (a.k.a PII / NPI) in the EU, US, Canada and parts of the Middle East and Asia. It’s worth noting that there are a few exceptions to this, mostly related to company size.
These personal data records have a two-fold use in that record custodians (data controllers) have an accurate picture of who, where and why these records exists. Secondly, keeping accurate and complete documentation helps satisfy regulators that you are following data processing rules.
On this point, regulators want assurance that data subjects (e.g. customers) have consented to companies using and sharing their data with full transparency.
Know What to Expect with ROPA Creation!
There are several different versions of records management templates. GDPR refers to them as ROPA’s (Record of Processing Activities) while other laws mention personal data asset registers. Many of the publicly published templates are spreadsheet based with alot of columns to fill out. These columns map to data protection principles such as purpose of processing, legal bases for processing, retention, security safeguards etc.
Regulators will expect you to have done extensive mapping of where data is stored and processed internally. This can get quite complex with some data processors such as SalesForce & ADP. Where you might see up to 40 data points associated with each personal data record. Therefore we find it quite useful to do a ROPA Pre-Assessment like the one below before beginning the heavy lifting so your better prepared.
There is also considerable customization time with each organization as you enter parameters like physical data locations, owners, app names, retention schedules etc. Here is an example of a ROPA management system which is commonly used.
Know who Needs to Review Your ROPA Records!
Supervisory / competent authorities such as data / information commissoners, OAG’s and federal agencies may need to inspect them in case of an audit, legal case or in the aftermath of a data breach. Due dilligence assessments and proof of compliance may also be required for service contracts. One specific reference comes under GDPR Article 30 states that all organizations legally required to keep RoPAs which should be ready to present the record to supervisory authorities upon request. In case of an audit or in the aftermath of a data breach, supervisory authorities will likely want to establish the accuracy and completness of your record keeping at penalty of harsher fines.
Keep Your Records Updated
Keeping personal data records is part of BAU (Business as Usual) processes for companies. Existing records should be reviewed continually and any time your procedures for processing information change.
In line with best practices, reviews are used to validate accuracy and completeness of all information on each personal data record .
It’s a good idea to keep documents that may link to your records organized in common folders for easier retrieval.
Remember incomplete / missing records can ramp up fines and other sanctions if your not prepared, so maintain a routine of regularly reviewing your RoPA / PII records.
What are the Benefits of Maintaining a ROPA / Personal Data Register?
It facilitates a prompt and accurate response to data subject requests like providing electronic copies, deletion and opt-out requests. It allows a controller to conduct risk management activities (security assessments etc) to mitigate threats.
Having these records is also a way of operating from a single source of truth, as it allows organizations to validate whether the data being collected has any value to the business or if it has served its purpose and is ready to be purged.
Know Whose Responsible for Updating These Records?
Normally, privacy officers and heads of departments should be in charge of record updates, as they often have the most insight into the processing of data within their business activities.
It’s common in some organizations that one or two people perform the actual record updates, but the information has to reviewed by the respective department heads. Our chart below shows you the differences in responsibilities for data controllers and data processors.
What Other Details Should a Personal Data Register Contain?
The name and contact details of the controller or their representative or the data protection officer. The categories of data subjects and the special categories of personal data being processed.
The categories of recipients with whom the personal data is shared, disclosed, or sold, especially recipients in third countries or international organizations.
Identification of third countries where the personal data will be transferred across borders and the documentation of suitable safeguards for the transfer.
The time period for the retention of different categories of personal data.
The description of technical and organizational security measures by the organization.
What are the Penalties for Non-Compliance?
Lack of documentation will be heavily weighted in the event of a breach in the computation of fines. Case history from federal, state and country agencies cite lack of documentation regularly in the computation of penalties.
(Under GDPR the top tier of fines is up to a max of €20m or 4% of global annual turnover). In other Jurisdictions such as the US, the FTC and OAG will fine non-compliant entities by the number of people impacted and the degree of negligence. Many cases relate to lack of transparency which is a key part of the reason for having up-to-date records.
What About Data Processors?
Similar to a controller, data processors are also required to maintain proper records on behalf of the controller with the following details:
Each processor’s name and details, together with the name and details of the controller on behalf of whom they are processing the personal data.
The categories of processing are performed by the processor on behalf of the controller.
Identification of international organizations or third countries where the personal data will be transferred across borders and the documentation of suitable safeguards for the transfer..
A general description of technical and organizational security measures for the protection of the personal data being processed.
Where Do I Find Official Information on Personal Data Record Management?
Different agencies have published guidance, the Irish DPC has issued Guidance as has the UK ICO, the French CNIL the German BfDI and the SDAIA in KSA.
In California Section 999.317 of the CCPA regulations requires businesses to maintain records of all consumer requests and how those businesses responded to said requests for a period of at least twenty-four (24) months.
KSA-PDPL art 7.3 maps to GDPR in it’s requirement for a ROPA which should contain “the purpose of processing, a description of categories of Data Subjects, contact details of the organization, and the expected period for which Personal Data will be retained.”
It’s important to check with your local authority what the guidance is, as there are variances in national implementations.
Where Do I Find a Records Management Template?
Follow the link HERE to see a commonly used records management template.
