Do you know your Data? Article 30: Records of Processing Activities (RoPA)

Published on October 28, 2021

The first pillar of a strong data protection/privacy program is an effective data discovery and classification capability. Bottom line is, you have to know your assets in order to properly protect them.

In addition to the data protection benefits of data mapping, this exercise is often required by law. For instance, the EU’s General Data Protection Regulation (GDPR) requires covered entities to create what is known as a “Record of Processing Activities (ROPA).” More specifically, Article 30 of the GDPR requires a “data controller” to “maintain” a ROPA that identifies the following elements:

  • The name and contact details for the enterprise’s Data Protection Officer (DPO);
  • categories of the personal data being processed such as customer contact information, financial information, health records, etc.;
  • category of affected data subjects: consumer, employee, contractor, etc.;
  • the purpose for processing any personal data, i.e., why is the personal data being used/collected;
  • the lawful rationale for data collection (legal basis under Art. 6) and legitimate interests for personal data collection;
  • cross-board data flows outside the EU/EEA;
  • a description of both processes and procedures: human or technological for securing and/or safeguarding the data; and
  • data retention schedules.

The bottom line is, the ROPA is an important undertaking as it gives companies a complete inventory of their data processing and provides an overview of precisely how personal data is being handled. From a practical standpoint, an accurate, updated, and comprehensive ROPA helps companies remain legally compliant, thereby helping them avoid sanctions, fines, or penalties that might be otherwise imposed under the GDPR.

Advisori understands that the development and maintenance of a ROPA, even for the smallest enterprise, is a significant undertaking. However, as data privacy laws grow and evolve, (e.g. GDPR, CCPA/CPRA) we believe that best practices dictate that even for those companies not required to build a ROPA, that doing so would aid in overall risk mitigation. As specified above, the process of building the ROPA requires a company to investigate and discover, with precision, the types and volumes of the data they hold and related data-processing activities, cross-boarder data transfers, and data retentions schedules. From there, companies must document their legal basis for collecting and processing all personal data they hold. Finally, they must accurately document what they are doing to protect such personal data.

We provide our clients with the necessary people, process, and technology to efficiently build and just as importantly, maintain an accurate, comprehensive, and current ROPA. Our DPOs have extensive experience building and maintaining ROPAs for business in all industries, operating around the world. Moreover, Advisori has partnered with to provide our clients with the most advanced data mapping automation technology in the industry. Combining this technology with our mature and robust data mapping processes, our DPOs start with the creation and dissemination of user-friendly electronic assessments custom-tailor for our clients. These assessments allow us to quickly and efficiently identify business assets, vendors, and institutions holding or processing personal data. From there, we scrutize company assets for a precise and current data inventory and map these assets to processing activities. Where appropriate, we further assess this asset for privacy risks, which we then quantify and document, thereby allowing us to implement effective risk mitigation strategies.

Data Mapping Automation

When considering what a ROPA really is, one might surmise that this knowledge already exists organizationally and is readily available. That may be true for some companies; however, this critical information is typically siloed and lives within multiple knowledge bases, which are neither centrally maintained nor refreshed on a regular basis. Therefore, from a company perspective, automated data discovery and ROPA development just makes good business sense, irrespective of whether or not a regulatory body mandates it. Also, as consumers grow increasingly savvy and more “data-privacy conscious,” the smart play is to get in front of this now.

Contact the Advisori Team: we can get this process underway, and give you the people and tools you need to maintain compliance.