Why is it important to have a RoPA?
A RoPa demonstrates compliance. It is a legal requirement to document all of data processing activities.
A RoPA enables you to establish accountability by recording the information that you have, where it is and what you do with it.
A completed RoPA demonstrates compliance and helps facilitate audits.
- Is not occasional ( that means all frequent processing must be documented)
- Could result in a risk to the rights and freedoms of the individual
- Involves special category or criminal data
It should be a comprehensive picture of the personal data you have.
What is RoPA?
Well the clue is in the title, it is a record of all the processing activities involving personal data that your organisation carries out. It includes all areas where personal data is held e.g. Sales & Marketing, HR, Finance, Procurement, Customer Services.
Your RoPA should include , but not limited to:
- Purposes of processing
- Categories of individuals
- Categories of data held
- Retention periods
- Safeguards
- Retention periods
Case Study:
We have recently been involved with two clients helping them to build their Records of Processing Activities – RoPA. This can look like a daunting and difficult task, but it doesn’t have to be.
So here is the route we took:
- Start with a Data Audit
- Identify the Business Processes Where Personal Data is Used
- Engage Data Owners
How do you start to build your RoPA?
Start with a Data Audit, this clarifies the data that your organisation has.
This will look at the types of data you hold as well as where and how it was gathered, you will find more information on the Data Audit here.
Next Identify the Business Processes Where Personal Data is Used
Make a list of the business processes within your key business functions where personal data is used;
To that list match the Data Owners, that is the individuals within the organisation who are responsible for the personal data processing within your key business functions
Key business functions can include:
- Sales
- Marketing
- HR
- Procurement
- Finance
Importantly: The Need for Engagement
In all of this there is a need for engagement with data owners
The data owners need to keep the processing activities updated, data protection doesn’t happen in isolation, keep the conversation going, it is a constantly changing landscape.
Conclusion
Update your RoPA whenever there is a change to processing, this could include such things as new technology or a change to the purpose, at which point you should be thinking about carrying out a DPIA.
Whatever size your organisation is if you are processing personal data, you are accountable for it, to be able to say that your data is accurate you need to know what you have and to be able to protect personal data you need how it is used.
If you do have a data breach and your RoPA is up to date you will be able to pinpoint quickly and accurately the data that has been breached, helping you contain the breach.
The ICO has both a guide and templates that can help you to build your RoPA.
Should you need any further help with your RoPA then we are happy to help, simply contact us and we will be happy to help.