The Irish Data Protection Commissioner (DPC) has produced another helpful guidance on Article 30 GDPR Record of Processing Activities. This latest note provides a deep dive into everything you need to know, including what is required, why you need them, the dos and don’ts of preparing and maintaining a ROPA, and some good (and bad) examples to follow - similar to the templates already available from the UK ICO and French CNIL.
What is a ROPA?
Article 30 GDPR requires controllers to maintain a written (don’t worry – electronic form is fine) Record of Processing Activities (“ROPA”). Essentially, this is a comprehensive record of the data-mapping exercise to clarify what personal data you hold, where, how you use it, and why.
Why is a ROPA so important?
First and foremost, a ROPA is a legal requirement to demonstrate compliance with the GDPR’s accountability principle, but it is also a means by which organisations can consider and document all the processing activities taking place, therefore helping you to manage, understand and keep track of your information and procedures.
There are, however, some limited exemptions for small and medium enterprises.
Beware: you need to be able to provide your ROPA to a Supervisory Authority at their request (which, by the DPC’s standards, would be on only 10 days’ notice). ROPA’s found not to meet requirements of Article 30 can result in heavy fines.
What should be included?
At a minimum, a ROPA must contain the following information. Generic lists of pieces of information will not meet GDPR requirements. For example, there may be several separate retention periods, each specifically relating to different categories of personal data, and the ROPA needs to reflect these differences. Granularity is key here.
As the Controller
Article 30(2) GDPR similarly sets out the information that a processor must identify in their ROPA to maintain records on behalf of all data processed for the controller.
Top Tips from the DPC
- Keep it separate. The ROPA should be a complete, standalone document. Remember, it is NOT the same as a DPIA.
- Break down the ROPA. As mentioned above, the ROPA should be clearly broken down, split according to the different business functions, categories of data subjects etc., and sufficiently detailed (descriptions such as “personal data” or “appropriate security” won’t cut it).
- Include extra information as appropriate. For example, this could also cover the legal basis for processing, the processing of any special category data, or the risk ratings assigned to processing activities.
- Update, update, update. This is a living document that reflects the current situation as regards the processing of personal data, so it must be accurate and kept up-to-date. Regularly review the ROPA to ensure it is accurate and current. This will also help make sure it is “ready to go” at any time.
- Avoid hyperlinks. Best practice is to include all of the relevant information within the ROPA itself, rather than referring out to different documents or sources. If you do hyperlink to an external document, remember to make sure it is accessible!
- Make it clear and self-explanatory. An external reader should be able to fully understand the document, so cut back on the unexplained acronyms.