Records of processing activities (ROPA) - why you need one?

According to Article 30 UK GDPR (General Data Protection Regulation), every organisation is required to keep written Records of Processing Activities (ROPA). ROPA provides organisations with an overview of their organisational processes and helps identify all areas where personal data is being processed. 

Setting up Records of Processing Activities might seem hard at first. However, it delivers multiple benefits beyond plain fulfilment of UK GDPR requirements. No matter what stage of the documentation process you are at, you will walk away with useful best practices and tips on how to bring your data privacy compliance to the next level. In this article, learn about ROPA, its purpose, how organisations can prepare for it, documentation requirements, and how it is carried out.

What are Records of Processing Activities?

Records of Processing Activities is a documentation process that must be carried out by all organisations that process personal data. This includes all organisations that collect, use, store, or share information about individuals through electronic media or any other means.

The concept of Records of Processing Activities was introduced by the European Union through the GDPR. It was an attempt to make the way personal data is used by organisations more transparent, and to provide individuals with greater control over their own personal data.

Use of specialised software or equipment for capturing, storing, or evaluating employee data are some examples of processing activities (e.g. time recording system, digital personnel files, electronic access card system, video surveillance)

The UK GDPR has provisions in Article 30 that address the duty to keep records, their type, their format, their requirement to provide records to the data protection authority, and the circumstances under which the need to keep records may not apply.

What is the purpose of Records of Processing Activities?

Records of processing activities is a record of the steps you take to complete a task. It is similar to an audit trail, but for the actions you take on your computer or in real life.

For example, say you have a report that needs to be printed and sent out to clients. You could track each step in this process in a ROPA—from pulling up the file on your computer, through printing it out, and then sending it off.

The purpose of this documentation process is to demonstrate the organisation has implemented appropriate measures to ensure compliance with the UK GDPR rules and regulations. The records should include:

  • Description of the processing activities
  • Records of consent for processing
  • Details about the legal basis for processing
  • Details about the technical and organisational security measures implemented to prevent unauthorised access to personal data
  • Information on how long personal data is retained
  • Information on whether any automated decision making processes have been implemented and if they comply with UK GDPR requirements

You can also use a ROPA for things like keeping track of files that have been moved from one folder to another or deleted from your hard drive, and to see if someone has been using your computer inappropriately or if someone else has been trying to access your computer without permission.

How should organisations prepare for Records of Processing Activities?

When you are preparing for ROPA, you need to make sure that your records are accurate and complete.

You can not just have some of the information you need to comply with the law; you have to have all of the information. You also need to be able to prove that what you did was legally compliant. There are a few ways to prepare for ROPA. 

  • You should make sure to keep all documents related to your Records of Processing Activities in one place. This helps you keep track of them and make it easier for you to find what you need when needed. Make sure you have everything you need. If you need to send out documents in the mail, make sure that your files are organised and ready to go before sending them out.
  • Keep track of time spent on each activity. If each step is taking an hour or more, it is easy to forget about what is left to do if the day keeps going.
  • It is important that your records are secure so they do not get lost or damaged.
  • Make sure that everyone involved with processing the documents knows where everything is kept. If someone forgets where something is located, there is a good chance that they will not be able to find it when they want it later on and they probably get upset or frustrated in the process.

If someone asks you for Records of Processing Activities, they want proof that what you did was correct. That is why it is important to include as much information as possible in your records. 

 

Is keeping Records of Processing Activities mandatory?

Yes. Keeping records of your processing is an essential part of being a responsible business owner. Keeping records can also help you manage your costs more effectively. If you know exactly what it costs per activity carried out, then it becomes easier to make sure that those costs are being spent efficiently and appropriately.

If the processing is not likely to endanger the data subject's rights, if no special categories of data are processed, or if the processing is done very rarely, organisations with less than 250 workers are excluded from maintaining a record.

There are few important exceptions to the requirement that only organisations with more than 250 employees must comply. 

Every small business with fewer than 250 employees is also subject to record processing activities if any of the following conditions are met:

  • Processing is ongoing and not occasional
  • Processing involves special categories of personal data
  • Processing involves information about criminal convictions and offences.

Who needs to document the Records of Processing Activities?

If your organisation has a Data Protection Officer (DPO), the duty of maintaining a mapping of the processing falls under them. An employee who possesses the necessary skills to carry out such an activity may also be eligible to map the records of the processing if the organisation does not have a designated DPO.

Employing external consultants or hiring a DPO-as-a-Service to undertake the initial mapping of ROPA to execute DPO activities is very common.

What are the mandatory documentation requirements of Records of Processing Activities?

The following information is required for the Records of Processing Activities by article 30(1) of the UK GDPR. The information must be submitted in a clear and concise manner, with no grammatical errors or other typographical mistakes.

According to Article 30 of the UK GDPR, you must document at least the following if your organisation operates as a data controller:

  • The name and contact information for the controller and, if applicable, any joint controllers.
  • The name and contact information of the organisation's data protection officer, if one has been designated.
  • Categories of data subjects (such as employees, customers, and vendor contact people).
  • Categories of personal data processed (such as personal identification information, contact details, and health data).
  • Categories of recipients of personal data (such as partners, third parties, authorities, and management).
  • Purposes of the processing - what you use personal data for (customer support, employment, marketing, product development, and sales).
  • The list of third-party nations or international organisations to which the personal data is provided, if appropriate.
  • When personal data is transferred to a third country, specifics about the transfer, such as the destination nation's name and other details about the circumstances and safeguards.
  • Length of time that different categories of personal data must be retained.
  • Description of the technical and organisational security measures (eg encryption, employee training, restrictions on access to documents and other personal data, anonymisation).

Article 30 of the UK GDPR also requires that Processors keep records of all data processing operations. The following details should be present in the records in such a situation:

  • Designated a data protection officer's name and contact information.
  • The names and contact information for the processor, its controller(s), and subprocessors.
  • If personal data is transferred to a third country, the categories of processing carried out on the controller's behalf, the specifics of the transfer, including the recipient country's name and other details on the circumstances of the transfer and the safeguards.
  • A description of the technical and organisational security measures (eg encryption, staff training, restrictions on access to documents and other personal data, anonymisation).

If the legal basis for processing data is the "balancing of interests" (Article 6 UK GDPR) it should be stated in the processing activity records together with a description of the specific interests followed. 

If adding more information that the requirements stated above makes it easier to overview all the processing activities and to maintain a high compliance level, then it is highly recommended to do so.

Why should ROPA be kept up to date and why is it important?

It is important that these records are kept up-to-date at all times so that they reflect how the work was done at each stage along the way; this allows anyone who needs access to see exactly what happened when things went wrong so they can take steps towards preventing them happening again down the line.

It would take a lot of time and effort to get things back in order if records were not kept basic, organised, and updated on a regular basis.

What are the forms needed in Records of Processing Activities?

The UK GDPR specifies that records must be in writing and include an electronic form. Microsoft Excel sheets are the most often used tool for this purpose. 

A few records of processing activity templates have been released by a few national regulatory authorities. Here are two supervisory authorities' examples from France (CNIL) and UK (ICO): 

When it comes to UK GDPR compliance, keeping Records of Processing Activities should be the top priority. In addition to being mandated by law, they also serve as an efficient tool for ensuring compliance.

How can you create the Records of Processing Activities?

You will be in a strong position to start recording the information after you have a basic understanding of the personal data you hold and where it is kept. The following three steps will assist you in getting there: 

  1. Map information systems - To find out what information your organisation owns and where it is located, you may start by mapping information systems and personal data. It is crucial that many stakeholders from within your organisation take part in the process. 
  2. Create a survey/questionnaire - Creating a survey might assist in reaching the parts of the organisation that you have recognized that handle personal data. Ask simple, non-technical inquiries to elicit information about the areas that need documentation. Some example questions you can use are:
    1. Why do you collect personal information? 
    2. What categories do you have information on? 
    3. What information do you have about them? 
    4. Who do you inform about it? 
    5. For how much time do you hold it? 
    6. How can you protect it?
  3. Engage top management - This ensures that your mapping effort is supported and that all stakeholders are aware of its relevance.

It is clear that the ROPA may be a difficult task. It will take a lot of time, money, and collaboration from the stakeholders and other people involved. The benefits of compliance, however, are always worth it.

Conclusion

This article has provided an overview of what records are required by the government and how they should be maintained so that you do not get fined for failing to maintain proper compliance.

The importance of records in processing activities is that they provide a permanent record of the actions taken, and can be used to make an audit trail. They are also useful for ensuring consistency and traceability throughout the process.

Schedule a call with one of our data privacy experts to get started with the documentation process for ROPA today.

Book an appointment

 

IMG Pop Up Privacy (1) Image CTA Expert Male 2 MOBILE

Introduction to Records of Processing Activities (ROPA)

Best practices to increase efficiency and deliver greater value from your data

Watch Webinar now

About the author

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk