So, how good is your record keeping? Because that’s the question Article 30 UK GDPR (General Data Protection Regulation) is looking to answer. It states that almost every organisation needs to keep written Records of Processing Activities (RoPAs) to give an overview of your activities and identify areas where you process personal data.
Recording all your processing activities might seem like a thankless task, but it can deliver benefits that go way beyond a simple GDPR box ticking exercise. In this article we’ll show you how RoPA can help take your data privacy compliance up a notch: what it is, if you need one, and how you do it. Ready? Let’s go.
In this article
- What is a RoPA?
- What does a RoPA stand for in GDPR?
- How do I prepare for a RoPA?
- Do I have to keep a RoPA?
- Who needs to do a RoPA?
- What are the mandatory documentation requirements of Records of Processing Activities?
- Why should ROPA be kept up to date and why is it important?
- What are the forms needed in Records of Processing Activities?
- How can you create the Records of Processing Activities?
- Conclusion
What is a RoPA (Records of Processing Activities)?
RoPA is a documentation exercise for any organisation that processes data. And if your business collects, uses, stores or shares information about people via electronic media or any other means then you have to do it by law..
The European Union introduced the concept of RoPA through the General Data Protection Regulations (GDPR). It makes organisations more transparent and it gives people much greater control over their personal data.
It covers a lot of things, too. Like using specialised software or equipment to capture, store or evaluate employee data, for example. Because if you’re using a time recording system, compile digital personnel files or provide an electronic access system then you’re already processing data.
RoPA FAQs
The UK GDPR has provisions in Article 30 that address the duty to keep records. It covers the types, format, and the circumstances when you might not need to keep records and lots of other useful info. Take a look at Article 30 to find answers to your questions and stay compliant.
What does a RoPA stand for in GDPR?
The RoPA is a record of the steps you take to complete a task. It’s like an audit trail but for the actions you take on your computer or in real life.
For example, say you have a report you want to print and send to a client. You could track each step in this process in a RoPA—from pulling up the file on your computer through printing it out, and then sending it off.
The purpose of this documentation process is to prove your organisation has put in place the right measures to ensure you're compliant with the UK GDPR rules and regulations. To that end, they’ll include:
- Description of the processing activities
- Records of consent for processing
- Details about the legal basis for processing
- Details about the technical and organisational security measures implemented to prevent unauthorised access to personal data
- Information on how long personal data is retained
- Information on whether any automated decision-making processes have been implemented and if they comply with UK GDPR requirements
You can also use a RoPA for things like keeping track of files that you’ve moved from one folder to another or deleted from your hard drive. A RoPA can help you understand if someone has been using your computer inappropriately or if they've tried to access your computer without permission.
How do I prepare for a RoPA?
When you are preparing for ROPA, you need to make sure that your records are accurate and complete. You'll also need to prove that what you did was legally compliant. Here are four ways to prepare for RoPA.
- Keep all documents that relate to your Records of Processing Activities in one place. This helps you keep track of them and makes it easier for you to find what you need when you need it. If you need to send out documents in the mail, make sure that your files are organised and ready to go before despatching them.
- Keep track of the time you spend on each activity.
- Keep records safely and secure so they're not lost or damaged.
- Make note of where you store records.
If someone asks you for Records of Processing Activities, they want proof that what you did was correct. That's why it is important to include as much information as possible in your records.
Is keeping Records of Processing Activities mandatory?
Yes. Keeping records of your processing is an essential part of being a responsible business owner. It can help you manage your costs mor effectively, too. If you know exactly what each activity costs, it's easier to make sure you're spending your budgets as efficiently as possible.
There are some reasons why you won't have to keep a RoPA. Organisations with less than 250 employeesd are excluded if the data processing isn't likely to endanger the data subject's rights, you won't process any special categories of data, or if the processing is done very rarely.
However, there are some important exceptions to this rule. Every small business with fewer than 250 employees is also subject to record processing activities if any of the following conditions are met:
- Processing is ongoing and not occasional
- Processing involves special categories of personal data
- Processing involves information about criminal convictions and offences
Who needs to document the RoPA?
If your organisation has a Data Protection Officer (DPO), they'll look after the maintaining and mapping of the RoPA. But if you don't, an employee with the necessary skills may also be eligible to map the records of the processing. That person will need knowledge of GDPR and other data protection regulations, solid data management and risk assessment skills, and more - so it's not unusual for companies to bring inexternal consultants.
Hiring a DPO-as-a-Service to undertake the initial mapping of ROPA to execute DPO activities is also very common.
What are the mandatory documentation requirements of RoPA?
Okay, let's get into some of the details. The following information is required for the Records of Processing Activities by Article 30(1) of the UK GDPR. The information must be submitted in a clear and concise manner, with no grammatical errors or other typographical mistakes.
According to Article 30 of the UK GDPR, you must document at least the following if your organisation operates as a data controller:
- The name and contact information for the controller and, if applicable, any joint controllers
- The name and contact information of the organisation's data protection officer, if one has been designated
- Categories of data subjects (such as employees, customers, and vendor contact people)
- Categories of personal data processed (such as personal identification information, contact details, and health data)
- Categories of recipients of personal data (such as partners, third parties, authorities, and management)
- Purposes of the processing - what you use personal data for (customer support, employment, marketing, product development, and sales)
- The list of third-party nations or international organisations to which the personal data is provided, if appropriate
- When personal data is transferred to a third country, specifics about the transfer, such as the destination nation's name and other details about the circumstances and safeguards
- Length of time that different categories of personal data must be retained
- Description of the technical and organisational security measures (e.g. encryption, employee training, restrictions on access to documents and other personal data, anonymisation)
Article 30 of the UK GDPR also requires that Processors keep records of all data processing operations. The following details should be present in the records in such a situation:
- Designated a data protection officer's name and contact information
- The names and contact information for the processor, its controller(s), and subprocessors
- If personal data is transferred to a third country, the categories of processing carried out on the controller's behalf, the specifics of the transfer, including the recipient country's name and other details on the circumstances of the transfer and the safeguards
- A description of the technical and organisational security measures (e.g. encryption, staff training, restrictions on access to documents and other personal data, anonymisation)
If the legal basis for processing data is the "balancing of interests" (Article 6 UK GDPR), it should be stated in the processing activity records together with a description of the specific interests followed.
Now, that's quite a lot. But if you need to add more details about your processing activities to make your overview easier to understand, you should consider it.
Why should RoPA be kept up to date, and why is it important?
Two words: audit trail. Keeping your records up-to-date at all times clearly reflects how the work was done at each stage along the way. This means that anyone who needs access to see exactly what happened when things went wrong can do so, and can take steps to prevent it from happening again.
It would take a lot of time and effort to get things back in order if records were not kept basic, organised, and updated on a regular basis.
What are the forms needed in RoPA?
The UK GDPR specifies that records must be in writing and include an electronic form. Most companies use a spreadsheet for this.
Some national regulatory authorities have released RoPA templates. Here are two examples from supervisory authorities in France (CNIL) and the UK (ICO):
When it comes to UK GDPR compliance, keeping Records of Processing Activities should be the top priority. In addition to being mandated by law, they also serve as an efficient tool for ensuring compliance.
How can you create the Records of Processing Activities?
You'll be in a strong position to start recording the information after you have a basic understanding of the personal data you hold and where you keep it. The following three steps will assist you in getting there:
- Map information systems - Map your information systems and personal data. It's important that stakeholders from all accross your organisation take part in the process.
- Create a survey/questionnaire - Creating a survey might assist in reaching the parts of the organisation that you know handle personal data. Ask simple, non-technical inquiries to discover the areas that need documentation. Some example questions you can use are:
- Why do you collect personal information?
- What categories do you have information on?
- What information do you have about them?
- Who do you inform about it?
- For how much time do you hold it?
- How can you protect it?
- Engage top management - Getting buy-in from the company leaders makes sure your mapping efforts arte supported and that all stakeholders are aware of its relevance.
RoPA isn't always easy. It can take a lot of time, money, and collaboration from taccross your buisness (and beyond). But the benefits of compliance are always worth it.
Conclusion
This article is an overview of the records the government requires and how you should maintain them. Doing this correctly should help prevent fines for failing to maintain proper compliance.
The importance of records in processing activities is to provide a permanent record of the actions taken, and can be used to make an audit trail. They're also useful for ensuring consistency and traceability throughout the process.
Want to learn more? Have a chat with our data privacy experts to get started with the documentation process for ROPA today.
Introduction to Records of Processing Activities (ROPA)
Best practices to increase efficiency and deliver greater value from your data
Watch Webinar now