Art. 30 of the EU General Data Protection Regulation (GDPR) requires companies to create and maintain a record of processing activities (ROPA). The ROPA includes a comprehensive overview of processing activities and the most important details about them and must be made available upon the request of a supervisory authority. ROPA demonstrates your company’s GDPR compliance and thus it is important that it is well-managed and organised.
Our ultimate guide explains step by step who has to keep a ROPA, what it contains, and how to best implement and manage this obligation.
Who needs a ROPA?
The obligation to create and maintain a ROPA applies to the majority of controllers and processors, and – for non-EU companies – their EU representatives.
A widespread misconception concerning ROPAs is that this duty applies to large companies only. While companies with more than 250 employees must indeed always keep a ROPA, those with fewer than 250 employees are exempt from holding a record, if one of these factors apply:
- The processing is not likely to pose a risk to the rights and freedom of the data subject.
Companies can assess a likely risk for data subjects by taking into account the nature, scope, context and purposes for processing, as well as the varying likelihood and severity of risks. Examples include geolocation systems and video surveillance. - If no special categories of data are processed.
Special categories of data include, for instance, data concerning criminal records, religious affiliations as well as health data of employees. Most companies will process sick certificates, and other information of employees falling under this category. - If the processing is done only occasionally.
Data processing can be occasional if it plays a subordinate role in the activity and only occurs for a very short time or once. An example would be a company informing clients of a change of address in case of relocation. On the contrary, daily activities of companies like customer management or salary management are not occasional.
In practise, most companies, regardless of whether or not they engage more than 250 employees, will be required to keep a ROPA. As in almost every organisation, some processing takes place on a structural basis. Also, it is not unlikely for companies to process special categories of data, especially in the context of human resources.
Why a ROPA?
For reasons of accountability and transparency, controllers must ensure a structured data protection documentation. It not only ensures transparency of data processing but also enables the data protection officer (DPO), EU representative and supervisory authorities to perform their duties well. In a nutshell, ROPA demonstrates whether a company is GDPR compliant, pursuant to Art. 5 (2) GDPR. Furthermore, a ROPA is crucial for the preparation of data protection impact assessments (DPIA).
While the building of a complete list of processing activities is often a complicated and time-consuming task for companies, the creation and maintenance of a ROPA can prove to be beneficial for several reasons. It facilitates a prompt and accurate response to potential data subject requests when the information is readily available while establishing an efficient data erasure schedule to avoid a bulk of unnecessary personal data. It allows a company to identify future possible risks and take steps to mitigate them.
What is a ROPA?
By definition, a ROPA is a record of an organisation’s processing activities involving personal data. Pursuant to Art. 30 (3) GDPR, it must be in written or electronic text form.
“Processing” is any activity performed on personal data. Thus, not only the active collection of data but also the mere storage of data on a server is considered processing. In practise, each business process will be a separate processing activity.
Controllers and processors have to create a ROPA that contains the following information:
- A controller’s ROPA must include the name and contact details of the controller, the joint controller, a representative and the DPO. Similarly, a processor has to enclose details about the name and contact of each processor and each controller on behalf of whom the processor is acting, as well as the processor’s representative and DPO, if applicable.
- While a controller must record the purpose of each processing, a description of the categories of data subjects and the categories of personal data, a processor must merely document the categories of processing carried out on behalf of each controller.
- Where applicable, both a processor and a controller must list transfers to third countries or international organisations, including a description of the suitable safeguards. Additionally, controllers have to record information about the types of recipients to whom the personal data have been or will be disclosed, including those of third countries and international organisations, as well as the envisaged time limits for erasure of different categories of data, where possible.
- Lastly, both a processor and a controller should provide a general description of the technical and organisational measures referred to in Art. 32 (1) GDPR.
Creating and maintaining a ROPA
As a controller or processor, companies are responsible for creating and maintaining a ROPA and to keep an overview of all processing activities they operate. Normally, the heads of departments will be in charge of the ROPA, as they often have the most insight into the processing of data within their business activities, while a DPO can supervise and support them where necessary.
If you are not an EU company and need to appoint an EU representative, you should mandate the representative to act on your behalf with regard to their obligations under the GDPR. The EU representative acts as a middleman with supervisory authorities and data subjects, while the company outside the EU plays an active role in creating and maintaining records of processing activities and making these records available to the supervisory authorities upon request.
1. Identify processes
Firstly, all details must be determined and gathered by conducting an audit or a data-mapping exercise to help clarify what kind of personal data is processed. To do so, it is useful to meet directly with key departments (such as HR, Marketing, Customer Support, etc.) of your company to better understand how they use data and to document the required details. Other departments will hold some necessary and specific information about processing activities, e.g. IT holds information about the technical security measures, while the legal department keeps track of data-sharing arrangements.
Secondly, other relevant information can be found in existing documentation, such as data protection policies, data retention policies, system use procedures, data protection contracts (in the context of processing on behalf of a controller) and data sharing agreements. Locating and reviewing the details contained in these documents can help you compare and contrast intended and actual data processing activities.
You should be able to answer these questions about each personal data processing activity:
- How do you process personal data? Which business processes take place within your department?
- Why do you use personal data?
- Who do you hold information about?
- What information do you hold about them?
- Who do you share it with? Do you use any external contractors? Are any of them outside the EU?
- For how long do you store it?
- How do you keep it safe?
2. Document processing activities
As mentioned above, the documentation of your processing activities must be in writing, in paper or electronic form. Due to the obligation to maintain a ROPA, meaning to add, remove and amend it as necessary, electronic form is suggested.
Documentation shall be done in a granular and logical way, as you may have separate erasure periods for different categories of data. Also, varying categories of data subjects and purposes for processing data requires listing information in a meaningful way in the ROPA in order to meet the GDPR’s documentation requirements.
Full-length templates for controllers and processors can help to appropriately document processing activities. Whether you are a controller or a processor will impact the content, structure and demands of the ROPA. Accordingly, the ROPA of controllers is generally more comprehensive than that for processors, as controllers have to include more information, such as the purpose of data processing, the categories of data, and the categories of recipients.
Therefore, the complexity and structure of a company determines the most appropriate course of action for creating a ROPA. Essentially, you must ensure that the ROPA is structured in a manner that fulfils the obligations under Art. 5 (2) GDPR (accountability), Art. 24 GDPR (controller’s responsibilities under the GDPR), and Art. 30 GDPR (ROPA). In order to avoid superfluous documents, you can make reference to your company’s data protection and data retention policies in the ROPA, as both documents must also be made available upon a supervisory authority’s request.
In order to fulfil the obligation of accountability, information about processing activities and the general description of technical and organisational measures must be clearly comprehensible for supervisory authorities.
3. Update regularly
A ROPA must represent the current situation of your data processing activities and, thus, must be updated regularly. In practise, updates must be made of any changes to the processing conditions, such as new categories or purposes of data or new third recipients of data. Accordingly, this makes a ROPA a so-called living document that needs to be updated when necessary. In order to do so, you should conduct regular reviews of the information you process to ensure your documentation remains accurate and up-to-date.