GDPR Records of Processing Activities (Article 30 RoPA):The Ultimate Guide

Many website operators and business owners, in general, think that having a privacy policy and cookie banner is all they need for GDPR compliance. That's not true.

But, no worries, creating a ROPA is not rocket science. If you know your data flows, you'll create and maintain one without too much effort.

In this article, we'll delve into the details of ROPAs and guide you on how to create one for your company.

You will learn:

• What is GDPR Article 30: Records of Processing Activities?
• Who needs to create and maintain a ROPA (and who doesn't need to)?
• What are the ROPA requirements?
• What a ROPA must contain
• How to create and maintain a ROPA
• How to keep a ROPA up-to-date
• Where to find a ROPA template
  

What is GDPR Article 30: Record of Processing Activities (ROPA)?

GDPR Recital 82 states: "In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it so that they might serve to monitor those processing operations."

This clearly implies that the ROPA is needed for times when the data protection authorities knock on your door and request your Records of Processing Activities to get an idea of what is going on with personal data within your organization.

Until then, the ROPA needs to be kept up-to-date in your records.

Who needs to create and maintain a ROPA?

According to GDPR Article 30, a ROPA is obligatory for every data controller or processor that has more than 250 employees. Companies with fewer than 250 employees have to maintain an ROPA if they process sensitive personal data (special categories of data) or criminal conviction data.

For all the rest, having one is a good practice.

How is the record of processing activities different from the data map?

The data map is not an official document required by the GDPR. It is not part of GDPR compliance for companies. It is a tool that maps the data flows and informs the data privacy decisions in the company.

On the other hand, some data controllers and data processors require the ROPA, which a supervisory authority might also request.

How does a ROPA help personal data protection compliance?

The ROPA helps data protection compliance by ensuring that there is a record available to the supervisory body should they audit the privacy practices of a company. Furthermore, it helps by putting on paper, in a clear and concise way, the data flows within the company.

On one hand, it provides better clarity for the business. On the other hand, it helps the business be accountable.

What are the GDPR requirements of ROPA?

The GDPR prescribes who needs an ROPA, what it needs to contain, and who is exempt from the duty to maintain one.

What do ROPAs need to contain?

Article 30 has slightly different requirements for data controllers and data processors.

Data controllers are required to include:

• The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the data protection officer
• The purposes of the processing
• A description of the categories of data subjects and of the categories of personal data;
• The categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organizations
• Transfers of personal data to a third country or an international organization, including the documentation of suitable safeguards
• Data retention periods, and
• A general description of the implemented technical and organizational measures

The data processor's ROPA has to include:

• The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer
• The categories of processing carried out on behalf of each controller
• Transfers of personal data to a third country or an international organization, including the documentation of suitable safeguards, and
• A general description of the implemented technical and organizational measures

There is no specific format in which this information must be kept. You are free to create it in any way that is suitable for your business, as long as it achieves its purpose.

However, you must ensure that the information inside is detailed.

Here's what it should not look like:

Purpose of processing analytics, marketing Data subject categories website visitors, email subscribers Third parties: recipients of data Google, Meta, Bytedance, and Mailchimp International Data Transfers United States

The table above is wrong. Instead, you should do it in the following way:

Data category Processing purpose Third parties: recipients International data transfers Email address marketing Mailchimp United States IP address analytics Google United States Device details analytics Google United States Device details (the field should be merged with the one above) marketing Google, Meta, and Bytedance United States

The table above is not complete either because there is not enough space on this web page to include all the information, but you get the idea about the level of detail needed for a GDPR-compliant ROPA.

Does the ROPA need to be published on the website?

The ROPA does not need to be published on your website. It is an internal record that should be available only to you and the data protection authorities in case they ask for it.

Your privacy policy (privacy notice) is the document that serves to inform your users how you process personal data. It is the only data-subject-facing document required on your website. The ROPA doesn't need to be there.

How do I create and maintain a record of processing activities?

There are a few steps to take to create and maintain a ROPA:

• Do a data mapping exercise to map out all the business's data processing activities. It will help you figure out how personal data flows in and out of your business and will do much of the work needed for an ROPA.
• Involve all the stakeholders within the organization and ensure they give their feedback in the process. The marketing department, HR, the sales team, and your accountants all process personal information. Make sure that every single person who gets in touch with any category of personal data processed within your business contributes information.
• Ensure you get updates from all the stakeholders when the organization's data processing activities change. The same people make changes to your practices and must update you whenever they make changes because such changes must be reflected in the Records of Processing Activities.
• For organizations looking to automate this process, consider using a Process Register Module that streamlines GDPR Article 30 compliance.
  

How to keep your ROPA up-to-date

The ROPA must reflect the current personal data processing activities at all times.

If your business starts collecting phone numbers from the next Monday, the records must contain information on phone number processing from the next Monday.

If you decided to delete the emails of unresponsive subscribers after six months instead of one year from the next Wednesday, you need to change the data retention periods. If you changed from Mailchimp to Brevo, make sure you update accordingly.

The ROPA informs what happens at this very moment with your data processing practices. It must change as they change.

That's why you must ensure that you get information on all the changes whenever they happen in your organization. That's the only way you could keep your records updated and compliant with the GDPR.

Record of Processing Activities template

You can find the UK's ICO templates on this link, along with more details on how to create a ROPA.

Again, there is no prescribed format. Feel free to adjust the template to fit your business.