Author: Marija Bošković Batarelo, Parser compliance
What is a Record of processing activities (ROPA)?
Among the obligations set out by the General Data Protection Regulation (GDPR), there is one on maintaining records of processing activities (ROPA).
It is an internal record that contains information on all personal data processing activities carried out by the company or organization.
In Article 30, GDPR lays out provisions regarding the obligation of maintaining records, their content, their form, their obligation to make records available to the data protection authority, and the exceptions to the obligation of maintaining a record.
It is intended as an accountability measure for companies and a first step down the road of compliance to data protection laws.
As we will explain later, maintaining records of processing activities should not be taken merely as a burdensome obligation but should also be used as a helpful tool to ensure compliance.
Is keeping a Record of processing activities obligatory?
The first question a data controller or processor should ask themselves is whether this obligation applies to them. The short answer is YES, it most likely does.
Although this obligation applies only to enterprises or organizations employing more than 250 persons, there are some notable exceptions to this rule.
The record-maintaining obligation shall also apply to every enterprise or organization employing fewer than 250 persons if:
- processing it carries out is likely to result in a risk to the rights and freedoms of data subjects;
- processing is not occasional;
- processing includes special categories of personal data;
- processing includes personal data relating to criminal convictions and offenses.
After a closer examination, we can determine that the second criteria are applicable to most (if not all) enterprises and organizations since they fall under some national obligation that makes some type of processing of personal data mandatory.
The most obvious example of this would be the obligation of processing of personal data of employees for the purposes of paying out their salaries. The nature of this obligation makes this activity periodic and regular, in contrast to occasional.
![[RELATED TOPIC: Procesing personal data of employees]](https://no-cache.hubspot.com/cta/default/5699763/46ecda50-4ff6-46b0-969d-c7f940bda947.png)
Mandatory content of Records of processing activities
Records of processing activities should be a comprehensive list of all the processing activities that data controllers and data processors perform and particularities relative to them.
The following information is laid down by Article 30(1) as mandatory content for every record of processing activity kept by a data controller:
- name and contact details of the controller;
- purposes of the processing;
- categories of data subjects;
- categories of recipients;
- transfers of personal data to a third country or an international organization;
- time limits for erasure;
- technical and organizational security measures.
Pursuant to Article 30(2) data processors are obligated to record the following information on their records of processing activities:
- the name and contact details of the processor or processors and each controller on behalf of which the processor is acting;
- the categories of processing carried out on behalf of each controller;
- transfers of personal data to a third country or an international organization;
- technical and organizational security measures.
Additional content of Records of processing activities
This certainly does not preclude controllers and processors from including some other information in their records. However, the record of processing activities should not be smothered with too much information, especially the unnecessary ones.
They should be neat, simple, and intelligible. There are two main reasons for this:
1. Make Records available to the supervisory authority
The first one is regarding the obligation of the controllers and processors, set out by the GDPR in Article 30(4), to make the record available to the supervisory authority on request.
It is in the controller/processor’s best interest to make it easier for the supervisory authority to do all the intended inspections. Since the record of processing activities is most likely to be the starting point of any supervision, that process will be that much faster and less painful if the records are kept in a neat, almost minimalistic form.
2. Have better control over processing activities
The second reason is to help the controller/processor be in control over their processing activities and GDPR compliance.
Record of processing activities should be the basis of GDPR compliance of a company and, therefore, should be kept in such a way that makes it easy for the controller/processor to oversee all its processing activities and to add, alter, or remove information as circumstances change.
However, it does not mean that adding additional information other than the required is wrong.
If adding more information makes it easier to overview all the processing activities and to maintain a high compliance level, then it is highly recommended to do so.
Keep the ROPA up to date
Keeping records of processing activities regularly updated is of very high importance.
Failing to keep records simple and neat and to update them regularly would soon lead to a situation that requires a lot of time and energy to put things back in order.
Messy records could make it harder to maintain a satisfactory level of compliance, which may eventually lead to high penalties.
Therefore, records of processing activities can help keep enterprises and organizations in control of the legality of their processing activities, their level of security, and their obligations regarding personal data protection.
![Download templates for Records of Processing Activities [For Different Industries]](https://no-cache.hubspot.com/cta/default/5699763/88c320cd-2e9f-423a-8c5e-bdc32b48d80f.png)
Records of processing activities Forms
As for the form of the records, the GDPR demands it to be written, which includes an electronic form. For this purpose, Microsoft Excel sheets are the most popular tool.
Some national supervisory authorities have issued their own version of the record of processing activities template. Here are two examples from French (CNIL) and British (ICO) supervisory authorities:
Records must be kept by controllers/processors themselves so that they can have an overview of their processing activities.
Controllers/processors should designate one person within their structure to personally be in charge of maintaining the records.
If the controller/processor has a designated data protection officer, usually, the data protection officer will be in charge of maintaining records.
New privacy management solutions, such as Data Privacy Manager, are useful tools to monitor compliance and notify designated persons of each change.
It is wise to set an obligation for the heads of each department within the company to notify the person designated to maintain the records on each change made to their processing activities (new contracts signed, new data processors, new purposes, new data subject categories, etc.) so that the records could be kept as up to date as possible.
Having records of processing activities should be a primary concern when it comes to GDPR compliance.
Not only are they required by the law, but they are also very useful tool for monitoring compliance.
