How a Record of Data Processing Activities (ROPA) can benefit any organization

Article by: Jill Reber & Kevin Moos

In 2018, companies were first introduced to the concept of a Record of Processing Activities (ROPA). As part of GDPR compliance, organizations are required to create and maintain this document, which includes the purposes of processing personal data, the parties to whom you are disclosing the data, how long you will retain the data, and other details (see Article 30). Now, as US businesses are beholden to a growing number of privacy regulations like CCPA and its possible amendment CPRA, maintenance of a ROPA is even more important.

We work with clients to create ROPAs as part of their data privacy readiness plans, and this process frequently reveals new insights into their data management practices. These insights can yield positive outcomes on multiple levels and help you better manage your data. As a result, the ROPA process is beneficial regardless of which regulations apply to you — and in addressing new regulations as they appear.

What is a ROPA?

A ROPA includes the following information for each processing activity:

  • Names and contact details of the data controller, data processor, data controller’s representative, joint controller, and data protection officer (DPO), if applicable
  • Purpose (i.e., lawful basis) of processing personal data
  • Categories of data subjects and categories of personal data being processed
  • Categories of recipients to whom the personal data has been or will be disclosed
  • Third parties in other countries or international organizations who receive the personal data
  • Retention schedule for each category of personal data
  • General description of technical and organizational security measures related to each processing activity

A completed ROPA lists each processing activity involving personal data and provides detailed information about each of the items listed above. While this may sound like a simple task, even building a complete list of processing activities is often a complex and time-consuming endeavor, involving detailed documentation reviews and multiple rounds of interviews with business users and IT. Larger organizations may want to create individual ROPAs for each department or line of business, and then roll up into a master enterprise-level record.

Due to the high volume of their processing activities involving personal data, midsize-to-large companies will likely need a data discovery tool to begin pulling together and organizing the various elements of the ROPA. Smaller organizations may want to start with a spreadsheet containing one row per processing activity (e.g. “Candidate offer of employment”) and one column for each of the fields listed above.

Benefits beyond compliance

Here are a few of the additional benefits we’ve identified for clients as we helped them create their ROPAs:

Identify redundancies

Prepare to respond to data subject requests

Plan for data retention

Streamline data collection

To read the full article and see real world examples, view the full article here:

Enabling clarity through business and technology solutions.