How to Create a Record of Processing Activities (ROPA)

 

What is a ROPA?

You may think of a Record of Processing Activities, or “ROPA”, as an index to the processes involving personal data at your organisation. It lists the processes which involve personal information, and specifies:

  • what information

  • who it relates to

  • where and how you got it

  • where and how you store it

  • how you use it

  • who has access to it

  • who you share it with

  • how long you keep it

  • how you protect it.

Only organisations with 250 or more employees, or whose processing may pose a high risk to the individual (e.g. by processing their sensitive personal data, such as religion, health data, or criminal offences and convictions) are obliged to have a ROPA. However, any organisation processing personal information can have one; if you don’t know what data you have and where it is, it’s very difficult to keep it safe. And even more difficult to prove that you’re keeping it safe, if you’re subjected to an audit!

It’s a very detailed document, and can seem like a mammoth task if completed manually. Here are some pointers to help you out, whether you choose to create and maintain your ROPA manually or with a Privacy compliance tool.

What should I include?

This is the easy part – the text of the GDPR specifies what to include in the ROPA in Article 30. Here is a breakdown of the required content:

Identity of the organisation and key contacts

  • The name and contact details of the organisation – if the organisation is processing the data on behalf of another organisation (known in legal terms as the “Data Controller”), then the name and contact details of the Data Controller must also be included for each process carried out on their behalf

  • The name and contact details of the legal representative of the organisation, and of the DPO, if there is one

Description of processing

  • The purposes of the processing activity (e.g. recruitment, customer support)

  • The categories of data subject (e.g. employee, B2C client) and the categories of personal data (e.g. contact details)

Data transfers

  • Recipients of the personal data (e.g. HMRC, email marketing service provider)

  • Any transfers of data to international organisations or organisations based outside the EU, and a description of the measures taken to secure these transfers (e.g. Standard Contractual Clauses)

Security information

  • The duration for which the personal data will be stored (e.g. 6 months after the departure of the employee from the organisation)

  • Where possible, a general description of the technical and organisational security measures in place to protect the personal data (e.g. firewall, anti-virus, physical security such as key badges, CCTV).

The ROPA must be made available to the supervisory authority (in the UK, the ICO) upon request. Many organisations choose to add extra details to their ROPA, in order to make it more useful for their own consultation and use (e.g. the names of the departments responsible for each process); however, these additional details are not required to be provided to the supervisory authority.

Where do I begin?

If your organisation has not already mapped its processes and systems, you’re going to be starting from scratch – but on the bright side, this means added utility of the ROPA for the organisation.

Here are the key steps to get started with your ROPA:

  • Pre-complete the name and contact details of the organisation, legal representative and DPO

  • Identify the departments / teams in the organisation, and reach out to department heads / team leaders

  • Ask them to compile a list of processes carried out by their department or team, including the names of the process owners

  • Ask the process owners to complete the columns of the ROPA concerning their processes

  • Run the ROPA by the IT department or team to check that the technical details included in the ROPA are accurate (e.g. systems, tools and applications used, technical security measures in place)

  • If there is a physical security team, run the ROPA by them to verify that these details are correct, for example, restricted access to physical spaces containing personal data (e.g. data centres, offices containing paper copies of data)

  • Double-check to verify the details where possible.

 

The task can be time-consuming, so it is useful to inform employees in advance of the work to be undertaken, and to fix a schedule with deadlines for each stage of work, in order to ensure availability and responsiveness of department heads and process owners.

How can I ensure ongoing compliance?

This is the greatest challenge for manual ROPAs – it is important to formalise the approach to maintaining the ROPA in order to minimise the impact on day to day operations while ensuring ongoing compliance.

There should be an annual review of the ROPA, during which each process owner adds any extra processes that have been created or deletes former processes, and reviews the existing process descriptions in order to update them if necessary. It may be helpful to mention key points for review in an email to the process owners (such as whether any tools or applications have changed, whether the personal data collected or processed has changed, and so on).

Annual reviews of the ROPA should be signed and dated by process owners, department heads and the person responsible for managing GDPR compliance. This ensures careful verification of the ROPA because of the responsibility and traceability of the actions taken by those involved.

Tools and applications

There is a range of applications offering tools for ROPA creation and maintenance, including, of course, APIMS. In APIMS, the task is mostly automated, including assignment of responsibilities to department heads and process owners, as is the use of your ROPA to partially or fully pre-complete other required GDPR documentation.

If you choose to create your ROPA manually, bear in mind the need for easy consultation and maintenance. PDF and Word documents do not make it easy to consult and compare different processes, nor to copy and paste common attributes. Spreadsheets are the most practical option for a manual ROPA, as long as the ROPA is on one tab (separate tabs makes it difficult to compare processing activities or to skim through them).

Don’t forget – the ROPA is, in itself, a sensitive document for the organisation. It should be treated as confidential, with access provided to limited individuals or job roles, and protected by appropriate technical and physical security measures.

Keep it Simple!

Clear procedures are the best way to keep your organisation running smoothly. Make sure that all employees who may be involved in building or maintaining your Register of Processing Activities know the steps that are followed, where they come in, and what they are required to do. It doesn’t need to be long – the main thing is that it is clear and brief!

You’re ready to go – good luck!

< Glossary