Among the obligations set out by the General Data Protection Regulation (GDPR), there is one on maintaining records of processing activities (ROPA).
It is an internal record that contains the information of all personal data processing activities carried out by the company or organization.
In Article 30, GDPR lays out provisions regarding the obligation of maintaining records, their content, their form, their obligation on making records available to the data protection authority, and the exceptions to the obligation of maintaining a record.
It is intended as an accountability measure for companies and a first step down the road of compliance to data protection laws.
Obligation for controllers
Each controller will have the responsibility to maintain records of all the processing activities which take place within the organisation. These records (which need to be in writing, as well as in electronic form) must contain all of the following information:
The name and contact details of the controller and where applicable, the data protection office;
The purposes of the processing;
Description of the categories of data subjects and of the categories of personal data;
Categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
Transfers of personal data to a third country or an international organisation, including the documentation of suitable safeguards;
Envisaged time limits for erasure of the different categories of data; and
General description of the applied technical and organisational security measures.
Please note that the obligation does not apply to organisations employing fewer than 250 persons, unless the processing is of a high-risk nature, including processing of special categories of personal data such as ethnic or health information, or data about criminal behaviour.
Furthermore, the controller or the processor needs to make the records available to the supervisory authority upon request.
Obligation for the Processor
In general, the GDPR does not only require more responsibility from the controller, but it also requires more responsibility from the involved data processors. Therefore, this obligation is also applicable to processors. Each processor will have the responsibility to maintain records of all categories of processing activities carried out on behalf of a controller, containing:
The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable and the data protection officer;
The categories of processing carried out on behalf of each controller;
Transfers of personal data to a third country or an international organisation, including the documentation of suitable safeguards;
A general description of the applied technical and organisational security measures.
ROPA- burden or asset?
This requirement under the GDPR will require some extensive effort. The organising part will require a lot of the business, but also of the privacy professionals involved. To convince the business of the added value of these records — besides the fact that it is an obligation of which non-compliance could lead to fines up to EUR 10.000.000 or 2% of the total worldwide annual turnover — will take time. Keeping in mind the development of the process, but also exploring and implementing the technical measures, it will be a time consuming process. Moreover, don’t forget to keep track of existing processing activities: not only new data processing activities must be recorded, but also the activities that are taking place at the moment (and maybe have been for years).
However, there is also something to gain. The records will provide an overview of all data processing activities within your organisation, and therefore enable organisations to get a grip on what kind of data categories are being processed, by whom (which departments or business units) and for which underlying purposes. This knowledge will allow organisations to make connections internally, join efforts or projects with the same or equivalent goals and / or challenges and it can result in increasing control over data processing activities. This will provide insight into risks and required mitigation actions, and will inevitably result in empowering organisations to do more — and in a well-ordered manner — with the available personal data.
LightBeam.ai ROPA automation tool to the rescue
Automated Process Management: The Processing Activities will be completed by the business using a user-friendly automated workflow provided by LightBeam.
Automated Reporting : Reports would be generated in a timely manner and processing activities will be validated and enriched (if needed) by the DPO (or other responsible) with data already available in data governance solutions.
Maximize data governance capabilities :
a) Once the processing is completed, data will be transferred automatically to the data governance solution using different APIs through a gateway.
b) The Data Governance solution will be used as a validation and enrichment tool as all information and knowledge with regards to personal data, its use and policies is in there.
c) Once verified in the data governance tool, the updated information will be sent back to LightBeam. In this way, both registers are kept in sync, leading to one single version of the truth available in both platforms.