What is a RoPA? An Expert Guide to GDPR Compliance in the Public Sector
GDPR regulations in the UK now require that all organisations have a legal responsibility to document their processing activities.
Records of Processing Activities (RoPA) is one of the fundamental components of GDPR under Article 30. It essentially requires organisations to maintain detailed documentation of the processing activities in relation to user’s personal data.
These regulations provide transparency and responsibility for an organisation when it collects and processes user’s personal data.
In this blog, we will cover all you need to know about Records of Processing Activities (RoPA), explaining exactly what it is, its importance to GDPR and public sector organisations, as well as what it should include, easy steps to creating one and much more.
To support our blog, trainer and Information Governance Specialist, Iain Harrison, kindly provided his extensive knowledge on RoPA’s. He will also be running our ‘Understanding Records of Processing Activities (ROPA) and Data Mapping’ course this November.
- What is a RoPA?
- What Organisations Need a RoPA?
- How Does a RoPA Differ From Data Mapping?
- Why are RoPAs Important?
- What are the Benefits of a RoPA?
- What to Include in a RoPA
- How to Create a RoPA in 5 Steps
Firstly, What is RoPA?
A RoPA (Record of Processing Activities) is a single document that records all personal data an organisation holds and details how it's processed.
This should include information about the:
Data controller and processor
Types of personal data processed
Categories of data subjects
It is a legal requirement to maintain a RoPA by GDPR for most organisations. This is according to Article 30, of the General Data Protection Regulation (GDPR), “each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.”
What Organisations Need a RoPA?
Organisations with over 250 employees must document all their processing activities, which applies to most public sector organisations.
Iain Harrison notes, “That said, there are exceptions that will require smaller organisations to keep a RoPA. If you do any of the following, you should have one:
- Any processing that is likely to result in a risk to the rights or freedoms of the data subjects.
- The processing is not occasional, meaning the data is processed and used consistently.
- The processing includes special kinds of data (found in Article 9), such as those related to one's religious beliefs, biometric or health data, racial or ethnic information, or any data related to a criminal investigation or records.”
How Does a RoPA Differ from Data Mapping?
Data mapping is a process of determining how personal data is handled, stored, and transmitted by an organisation.
Data mapping is an important part of GDPR compliance and should answer the following questions:
What data do you process?
Where do you process the data?
Why do you process the data?
Records of Processing Activities (RoPA) are a subset of data mapping, and they tend to overlap.
However, the essential difference between data mapping and a RoPA is that a RoPA is mandatory and data mapping is only advised as best practice.
Why are RoPAs important?
Iain says, “Well, the UK GDPR (specifically Article 30) requires that every piece of data processing (a term that covers everything from collection to disposal) you do needs a record, and those records are stored in a record of processing activities (ROPA).
The Information Commissioner Office (ICO) may look at your ROPA to get a full picture of your data processing. It allows them to see where personal information is processed, why, what you do with it, and how you manage it.”
What are the Benefits of a RoPA?
Here are 4 benefits of good record-keeping:
1. Regulatory compliance: RoPAs confirm organisations meet their GDPR requirements, lowering the risk of any legal repercussions.
2. Enhanced data governance: RoPAs encourage transparency and accountability, allowing organisations to put in place effective data governance practices.
3. Risk management: By documenting data processing activities, organisations can identify and eliminate potential privacy risks. This will strengthen their overall risk management framework.
4. More trust: Exhibiting compliance with GDPR requirements through RoPA gains trust amongst your organisation’s external users.
What Information Should a RoPA Include?
Iain says “Your record of processing activities may differ from other organisations and there is no required format (some use systems like OneTrust, others may use a basic spreadsheet that can be manually filled in).
Your record of processing activities should include, at minimum, the following:
- Contact details for relevant parties, such as the controller, stakeholders, DPOs, or joint controllers.
- The purpose and lawful basis for processing the data.
- The categories of the individuals (such as employees, customers, etc) whose data is collected.
- The categories of the personal data collected.
- Details about the recipients of any personal data if it is shared.
- Transfer details, particularly when data moves across countries and any safety measures that are put in place to protect the data.
- Retention schedules, such as short-term and long-term storage timelines and protection plans.
- An overview of the security measures, both technical and otherwise, that safeguard the data.”
How to Create a RoPA: In 5 Steps
Please see our step-by-step guide on how to create a ROPA for GDPR compliance:
It is important to identify all the departments of your organisation. Delegate one person per department, i.e., the data protection officer, or the person who has the most in-depth knowledge of their department’s processes and set up a meeting with them.
2. Identify the Processing Activities
In these meetings with each department representative, it is important to understand and identify all their processing activities in detail. Some key questions you might want to ask:
- What kind of people (data subjects) do you process data for?
- For each data subject category, why do you process their data?
- From which sources do you process data?
- What happens next?
- Are any other departments involved?
- What is their role in the process?
- What kind of data do you process?
- Why do you need this data?
- Which service providers do you use for processing personal data?
- What is their purpose?
Software and Tools
- What software/tools do you use to process personal data?
- What is their purpose?
- Do you process any other lists or documents that contain personal data?
Documented this information on any tool. Here you can create a rough list of each processing activity. Clean up this list later on and split it into different processing purposes.
Group some processing activities together and separate others.
This step is all about clarity, transparency and ensuring you are demonstrating compliance.
3. Be Descriptive
Now you have a list of all the processing activities, gather more in-depth information about each activity.
You could hold one-on-one workshops with the people you had the meetings with to go over processing activity description examples. Document a few together until they get the hang of how it is done. Then they should be ready to start completing a RoPA description for their own activities within a week or two.
Add all the descriptions, and your RoPa is nearly complete.
This step can sometimes take up to 2-3 months, depending on the size of your organisation and volume of processing activities - so don’t panic if it is taking longer than you think it should.
Now the RoPA description is complete, undertake a legal/security evaluation of the processing activities. Here are some of the tasks:
- Determine legal basis.
- If consent is needed, discover whether a GDPR-compliant consent process is already in place.
- Establish the legal retention and deletion time for each processing activity.
- Considering the technical and organisational measures, make a rough risk assessment to establish the level of risk associated with the data processing for data subjects and the need to perform a Data Protection Impact Assessment (DPIA).
- Make clear which recipients are considered Controllers, Processors, or Joint Controllers and establish if the necessary contracts are in place.
5. Complete Your RoPA
Now that your RoPA is complete, you will want to make sure that you are using it accordingly.
Use your RoPA to:
- Create privacy notices
- Perform Data Protection Impact Assessments (DPIA)
- Create deletion schedules
Update and maintain your RoPA regularly. Keep in contact with the relevant departments to verify that all the information is correct. Perform this review every 3, 6 or 12 months depending on how quickly your organisation changes.
Want to Learn Practical Techniques on How to Better Map Out Your Organisation’s Personal Data?
Join our Understanding Records of Processing Activities (ROPA) and Data Mapping course taking place on 30th November 2023, and receive expert advice from information governance expert Iain Harrison on developing more effective data mapping processes and building ROPA within your organisation’s record processing activities.
1+ years of content, social media, and email marketing. Endeavouring to bring the latest, expert-led courses to the forefront for public sector professionals looking to develop their skills and learn new ones.