How to turn your ROPA into a roadmap for your privacy management program

One of the biggest challenges you face as a DPO is keeping track of all the information that needs to be checked and all the documents that must be maintained so that you can demonstrate compliance with data protection regulations.

Yes, you can keep a list of all the balancing tests, privacy notices, data processing agreements, DPIAs, third country transfer assessments, vendor security assessments, policies, procedures and so on.

But beyond the typical policies and procedures and general information that everyone has or collects, how do you check that your list is complete? And how do you decide when it's time to update it?

Everything you need is in your ROPA

Every ROPA includes a list of all the data processing activities, together with the types of data processed, categories of data subjects, where the data comes from, how it is processed and stored and who has access to it, inside and outside your organization.

And because it's handy to have everything in one place, you'll often find additional information such as the lawful basis for processing and sometimes a list of data supporting assets.

What this means is that you can build the list of specific documents required for each activity by applying some simple rules, such as:

• If an activity is based on legitimate interest, then you will need a balancing test;
• For each activity where special data is processed you should have an additional lawful basis;
• For each data source and category of data subjects you should have a privacy notice; if the processing related to a data source is based on consent, add a separate consent form as well;
• For each data recipient you should have a data processing agreement and a security assessment for each processor;
• For each activity that has a high risk score you can decide that you need a DPIA;
• For each activity where you identify a third country transfer, you should have a transfer assessment.

Best of all, each time you update your ROPA, you can easily see what you need to do next. For example, what documents need to be updated or created, or what information needs to be collected.

But you need to get it in tip-top shape

You can only use your ROPA as a blueprint for your privacy management program if it is well structured and accurate. Otherwise, it's like taking a walk in the woods with the wrong map - you're more likely to get lost than arrive at the lodge with a hot drink in hand.

This requires you to tackle the most common ROPA problems typically found in spreadsheets:

• Incomplete information - this can mean that information is missing completely (easier to spot) or only partially completed (much harder to find).
• Duplicated information - when different people enter information into a document, you often end up with slightly different names for the same thing. And multiple versions of the same information, leaving you wondering which one is the most up to date.
• Ambiguous information - have you ever seen an ROPA where someone has been asked what categories of data they process and they've typed in 'everything that's needed'? We have, and it happens more often than you might think, especially if you work in a large organisation with a ROPA that has hundreds of activities.
• Misplaced information - copy/paste is a big thing in spreadsheet-based ROPAs. This is because people often have to enter the same information over and over again. It only takes one wrong click to paste the information in the wrong place, and you may never find it until you wonder why you see 'email' and 'name' listed as recipient categories.
• Hard to verify - with spreadsheets, verifying the accuracy and completeness of your ROPA can be time consuming and difficult, especially if multiple people are responsible for updating the document.

Here’s how Sypher can help

Yes, you can manually create a good ROPA and keep it up to date, but this comes at a significant time cost to you and your colleagues. If you decide to replace your ROPA spreadsheets, here's how Sypher can help you solve the problems mentioned above:

• Step-by-step project plan - Sypher provides a structured project plan to guide you through the process of cleaning, reviewing and updating your ROPA, and has a built-in logic module that automatically shows you what additional documentation or information is required to demonstrate compliance;
• Progress tracking - the progress measurement feature displays the percentage of completion for required information;
• 3D mapping suggestions - our validation engine involves correlating information from multiple sources, much like a journalist verifying a news story. This helps you find and fix problems with partial information, like missing data recipients (that might be associated with a third country transfer) or data types (which might be sensitive, requiring an additonal lawful basis);
• Automated DPIA pre-assessment - Sypher will analyse your ROPA and automatically highlight the activities that are likely to require a DPIA;
• ROPA versioning and change logging - the platform includes robust version control and change logging capabilities, enabling you to track every change;
• Review and approval system - Sypher's review and approval system ensures that only approved information is included in the official ROPA;
• Change monitoring - when mapping changes are detected, Sypher automatically reopens activities and notifies the owner to review them;
• Simplified interface for business colleagues - because providing information can be a rocky experience for all parties involved, we’ve designed a user-friendly interface that makes it easy for colleagues across your organisation to contribute to the ROPA review and update process. 

Last but not least

Using Sypher to maintain a structured and accurate ROPA can benefit your privacy management program in more ways than one. Below we've listed some other resources you may find useful:

• How a ROPA visual map can enhance your privacy program: 6 use cases
• Quick Guide for Sypher’s Built-in Project Plan Feature

—
Did you find this article helpful? Stay tuned for more by 📌 following our Social Media pages and/or 👉 subscribing to our weekly newsletter. We do our best to select the most interesting and relevant content in our field and deliver it to you in a bite-sized format, so you can stay up to date on topics such as Privacy Management & Compliance.