How a Record of Data Processing Activities (ROPA) can benefit any organization
Article by: Jill Reber & Kevin Moos
In 2018, companies were first introduced to the concept of a Record of Processing Activities (ROPA). As part of GDPR compliance, organizations are required to create and maintain this document, which includes the purposes of processing personal data, the parties to whom you are disclosing the data, how long you will retain the data, and other details (see Article 30). Now, as US businesses are beholden to a growing number of privacy regulations like CCPA and its possible amendment CPRA, maintenance of a ROPA is even more important.
We work with clients to create ROPAs as part of their data privacy readiness plans, and this process frequently reveals new insights into their data management practices. These insights can yield positive outcomes on multiple levels and help you better manage your data. As a result, the ROPA process is beneficial regardless of which regulations apply to you — and in addressing new regulations as they appear.
What is a ROPA?
A ROPA is a record of an organization’s processing activities involving personal data. Some businesses may think of “processing” as being limited to active events, but a ROPA must also cover data that sits on a server or a shelf.
A ROPA includes the following information for each processing activity:
- Names and contact details of the data controller, data processor, data controller’s representative, joint controller, and data protection officer (DPO), if applicable
- Purpose (i.e., lawful basis) of processing personal data
- Categories of data subjects and categories of personal data being processed
- Categories of recipients to whom the personal data has been or will be disclosed
- Third parties in other countries or international organizations who receive the personal data
- Retention schedule for each category of personal data
- General description of technical and organizational security measures related to each processing activity
A completed ROPA lists each processing activity involving personal data and provides detailed information about each of the items listed above. While this may sound like a simple task, even building a complete list of processing activities is often a complex and time-consuming endeavor, involving detailed documentation reviews and multiple rounds of interviews with business users and IT. Larger organizations may want to create individual ROPAs for each department or line of business, and then roll up into a master enterprise-level record.
Due to the high volume of their processing activities involving personal data, midsize-to-large companies will likely need a data discovery tool to begin pulling together and organizing the various elements of the ROPA. Smaller organizations may want to start with a spreadsheet containing one row per processing activity (e.g. “Candidate offer of employment”) and one column for each of the fields listed above.
Benefits beyond compliance
For companies covered by the ROPA requirement, creating and maintaining this record is a necessary part of their readiness plan. However, the ROPA process may represent the first time an organization takes a close look at their data processes from an enterprise-wide perspective — specifically, identifying the “what” (categories of personal data), the “who” (departments and contacts responsible for the data), the “why” (purposes of processing), the “where” (data proliferation), the “when” (time limits for retention) and the “how” (IT systems and applications, security measures, etc). While data discovery tools can be instrumental in identifying the “what” and the “where” of personal data, you will still need to determine the “why” and the “how” for each activity. By making these determinations in creating a ROPA, you can take the first step towards implementing sound data management practices across the organization.
Here are a few of the additional benefits we’ve identified for clients as we helped them create their ROPAs:
In creating your ROPA, you can identify cases of the same types of data being saved and updated in different locations at different times, which can make it impossible to identify which records are the most current, complete, and accurate. Once you identify these redundancies, you can build a single source of truth that allows you to get more business value from your data.
Prepare to respond to data subject requests
If a data subject requests access to or deletion of her personal data, the ROPA can help you identify where the category of the data is located and how it’s being processed. Having this information readily available can enable you to respond to data subject requests promptly and accurately.
Plan for data retention
The ROPA’s “time limits for erasure” column requires stakeholders to think about their data retention schedule. For decades, organizations amassed data without considering how long it would continue to be relevant or useful. They created enormous data lakes that raise security risks and hamper their ability to leverage data in supporting business objectives if information cannot be located quickly or if there is any confusion over which data is the most current, accurate, and relevant. Thinking strategically about data retention schedules and implementing time limits allows the organization to control “data swell” and better leverage its data as a strategic asset.
Streamline data collection
Through the process of data discovery, some organizations realize they have been collecting certain categories of personal data that serve no specific purpose, and the ROPA can serve to validate that data being acquired actually has business value. By removing extraneous categories from their data-gathering processes, businesses can streamline their procedures, eliminate the need to secure unneeded data, and focus their efforts on data that helps them better understand their customers and that supports other business goals such as data minimization.
To read the full article and see real world examples, view the full article here: https://www.logic2020.com/insight/how-a-record-of-data-processing-activities-ropa-can-benefit-any-organization?utm_source=social&utm_medium=Medium&utm_campaign=Data_Privacy