An accurate and usable ROPA (records of processing activities) is essential for the success of your privacy management program and will support you with the other tasks required to document and demonstrate compliance with privacy regulations.
However, building a proper ROPA and putting it to good use can be challenging. To help with this, here are 4 suggestions to consider:
A ROPA that is too superficial can lack the necessary details to help you analyse and document compliance.
A sign of this problem is when an activity's description is too long (which could indicate that there are several activities combined into one).
Additionally, it may be difficult to understand which types of personal data are processed for each data subject and how data flows inside and outside the organisation.
Another red flag to look for is when a large organisation has only identified a few dozen activities, an unlikely situation in practice.
On the other hand, a ROPA that is too detailed can be overwhelming to understand and update. A typical symptom of this problem are very similar or identical processing activities (e.g same activity entered by different departments), or when a ROPA has several hundred activities.
A good ROPA should make it easier for you to create privacy notices, manage data subjects’ requests (e.g. by showing where the data is likely to be found for a specific type of data subject), and keep track of processors, among others.
To achieve this, you need to make sure that the data is properly structured, so you can search and filter, and there is no duplicated or ambiguous information.
If your organisation is still using spreadsheets to keep the ROPA, structuring it is easier to say than to do, so you might want to read this article.
Providing a “general description of the technical and organisational security measures” as required by Article 30 can be done in more than one way.
The usual (and less than ideal) approach is to add a text description to each activity. This typically results in annoyed colleagues and duplicated or very similar information, typed dozens or hundreds of times, that’s impossible to update or verify.
Rather than doing this - if the next option is not feasible - you can get pretty much the same value (with less work) by producing a general document that describes the security controls established in place to protect personal data.
The preferred approach however, is to identify relevant data supporting assets for each activity, document security controls for each of them, and then assess the impact they have on the likelihood of a privacy risk occurring for each activity
This can be done by connecting each activity in your ROPA with the relevant assets from the InfoSec data assets register, so instead of conducting completely separate analyses, existing information can be reused by both departments.
For more details, here’s why we believe that privacy and security are two sides of the same coin and why it pays to start thinking of them this way.
Involving your colleagues in the process of updating the ROPA not only helps to keep it accurate and usable, but also allows them to become more familiar with key privacy concepts, to better understand how personal data flows inside and outside of your organisation, and to consider the importance of proper storage and protection.
Besides that, it serves as a great opportunity to improve their ability to recognize personal data and processing activities, and raises awareness about the fact that data protection is everyone's responsibility.
Did you find this article helpful? Stay tuned for more by 📌 following our Social Media pages and/or 👉 subscribing to our Newsletter. We'll keep you up to date on topics such as Privacy Management, Information Security, and GDPR compliance.