Ensure GDPR compliance by creating and maintaining Records of Processing Activities (RoPA). Learn who needs a RoPA, the requirements, what it must contain, and how to keep it up-to-date. Explore a practical guide with a downloadable RoPA template.
Your business must create and maintain Records of Processing Activities (RoPA) to comply with the EU General Data Protection Regulation (GDPR). If you do not maintain such records, you violate the law.
Many website operators and business owners, in general, think that having a privacy policy and cookie banner is all they need for GDPR compliance. That's not true.
Explore more privacy compliance insights and best practices
But, no worries, creating a ROPA is not rocket science. If you know your data flows, you'll create and maintain one without too much effort.
In this article, we'll delve into the details of ROPAs and guide you on how to create one for your company.
You will learn:
GDPR Recital 82 states: "In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it so that they might serve to monitor those processing operations."
This clearly implies that the ROPA is needed for times when the data protection authorities knock on your door and request your Records of Processing Activities to get an idea of what is going on with personal data within your organization.
Until then, the ROPA needs to be kept up-to-date in your records.
According to GDPR Article 30, a ROPA is obligatory for every data controller or processor that has more than 250 employees. Companies with fewer than 250 employees have to maintain an ROPA if they process sensitive personal data (special categories of data) or criminal conviction data.
For all the rest, having one is a good practice.
The data map is not an official document required by the GDPR. It is not part of GDPR compliance for companies. It is a tool that maps the data flows and informs the data privacy decisions in the company.
On the other hand, some data controllers and data processors require the ROPA, which a supervisory authority might also request.
The ROPA helps data protection compliance by ensuring that there is a record available to the supervisory body should they audit the privacy practices of a company. Furthermore, it helps by putting on paper, in a clear and concise way, the data flows within the company.
On one hand, it provides better clarity for the business. On the other hand, it helps the business be accountable.
The GDPR prescribes who needs an ROPA, what it needs to contain, and who is exempt from the duty to maintain one.
Article 30 has slightly different requirements for data controllers and data processors.
Data controllers are required to include:
The data processor's ROPA has to include:
There is no specific format in which this information must be kept. You are free to create it in any way that is suitable for your business, as long as it achieves its purpose.
However, you must ensure that the information inside is detailed.
Here's what it should not look like:
Purpose of processing analytics, marketing Data subject categories website visitors, email subscribers Third parties: recipients of data Google, Meta, Bytedance, and Mailchimp International Data Transfers United States
The table above is wrong. Instead, you should do it in the following way:
Data category Processing purpose Third parties: recipients International data transfers Email address marketing Mailchimp United States IP address analytics Google United States Device details analytics Google United States Device details (the field should be merged with the one above) marketing Google, Meta, and Bytedance United States
The table above is not complete either because there is not enough space on this web page to include all the information, but you get the idea about the level of detail needed for a GDPR-compliant ROPA.
The ROPA does not need to be published on your website. It is an internal record that should be available only to you and the data protection authorities in case they ask for it.
Your privacy policy (privacy notice) is the document that serves to inform your users how you process personal data. It is the only data-subject-facing document required on your website. The ROPA doesn't need to be there.
There are a few steps to take to create and maintain a ROPA:
The ROPA must reflect the current personal data processing activities at all times.
If your business starts collecting phone numbers from the next Monday, the records must contain information on phone number processing from the next Monday.
If you decided to delete the emails of unresponsive subscribers after six months instead of one year from the next Wednesday, you need to change the data retention periods. If you changed from Mailchimp to Brevo, make sure you update accordingly.
The ROPA informs what happens at this very moment with your data processing practices. It must change as they change.
That's why you must ensure that you get information on all the changes whenever they happen in your organization. That's the only way you could keep your records updated and compliant with the GDPR.
You can find the UK's ICO templates on this link, along with more details on how to create a ROPA.
Again, there is no prescribed format. Feel free to adjust the template to fit your business.
