How to create a ROPA (Record of processing activity), GDPR Article 30

iSTORM®️ Privacy-Security-Pentesting
25 Feb 202111:16

Summary

TLDRThis video from the 'Data Protection Diaries' series delves into the importance and creation of a Record of Processing Activities (RoPA) as mandated by Article 30 of the GDPR. It clarifies RoPA's purpose, emphasizing its value in documenting personal data processing activities for regulatory compliance and organizational insight. The host offers practical advice on initiating and maintaining a RoPA, suggesting the use of questionnaires, templates, and regular updates to ensure the document remains a living, accurate reflection of an organization's data handling practices.

Takeaways

  • 📝 A Record of Processing Activities (RoPA) is a requirement under Article 30 of the GDPR, documenting how organizations process personal data.
  • 🔎 RoPA can help organizations understand what personal data they process, who they share it with, the purposes, and the security measures in place.
  • 🤔 Many organizations find RoPA confusing and are unsure where to start, but it's essential for regulatory compliance and organizational insight.
  • 🚀 Starting a RoPA involves not being afraid of the process, understanding it's a timely task that requires effort and buy-in from the organization.
  • 🛠 There are tools and privacy management software available to help create a RoPA, but simple templates can also be effective, especially those provided by the ICO.
  • 📚 RoPA should document all processing activities, including HR, marketing, and third-party processing, where personal data is handled.
  • 📋 A questionnaire can be a useful tool to gather information from different departments about the data they hold, its usage, protection, and retention period.
  • 🔑 Keeping the RoPA simple and avoiding over-complication is key to making it accessible and easy to manage.
  • 🔄 RoPA is a living document that needs regular updates to reflect changes in data processing activities and third-party relationships.
  • 📅 It's recommended to have a defined review period for the RoPA, such as quarterly, semi-annually, or annually, to ensure accuracy and relevance.
  • ✉️ If you have questions or need assistance with creating a RoPA, reaching out to experts or checking resources like the ICO's website can provide guidance and support.

Q & A

  • What is a Record of Processing Activities (RoPA)?

    -A RoPA is a document that records an organization's processing activities, as required under Article 30 of the GDPR. It helps organizations display and document the processing of personal data they undertake.

  • Why is a RoPA important for an organization?

    -A RoPA is important because it is a regulatory requirement under GDPR and serves as a tool for the organization to understand what information it processes, who it shares with, the purposes of processing, and the security measures in place.

  • Are there any exceptions to the RoPA requirement under GDPR?

    -While there are some exceptions where organizations may be exempt from the RoPA requirement, the video focuses on explaining the RoPA and its importance rather than detailing these exceptions.

  • What are the two main reasons for maintaining a RoPA?

    -The two main reasons are regulatory compliance and the opportunity for the organization to gain a comprehensive understanding of its data processing activities, including the information it holds, who it shares with, and the security measures it has in place.

  • How can an organization start creating its own RoPA?

    -An organization can start by using tools associated with privacy management software, or by using simple templates provided by regulatory bodies like the ICO, which also offer guidance on creating a RoPA.

  • What is the recommended approach to gather information for the RoPA?

    -The recommended approach is to devise a questionnaire and issue it to all departments across the business to collect information about the data they hold, its usage, protection, and retention period.

  • Why should the RoPA not be over-complicated?

    -Over-complicating the RoPA can make it difficult to manage and understand. It's better to batch similar data items together and create a key for reference, making the document more accessible and easier to maintain.

  • How often should the RoPA be updated?

    -The RoPA should be an organic, living document that is updated as changes occur within the organization. This could be done on a systematic basis with every change or through a defined review period, such as quarterly, semi-annually, or annually.

  • What are some tips for making the RoPA creation process less burdensome?

    -Tips include starting with simple templates, not over-complicating the document, involving key stakeholders, and treating the RoPA as an organic document that needs regular updates rather than a one-time task.

  • How can technology assist in the creation and maintenance of a RoPA?

    -Privacy management software and tools can assist by quickly collating and collecting information, and some platforms can automatically populate a RoPA with updates from contracts and review processes.

  • What should an organization consider when deciding on the frequency of RoPA reviews?

    -An organization should consider the size and complexity of its operations, the frequency of changes in data processing activities, and the resources available for managing the RoPA when deciding on the review frequency.

Outlines

00:00

📝 Understanding the Record of Processing Activities (RoPA)

This paragraph introduces the concept of a Record of Processing Activities (RoPA), which is a requirement under Article 30 of the GDPR. It explains that RoPA is essential for documenting an organization's data processing activities and serves as a regulatory requirement and a tool for organizational understanding. The speaker emphasizes the importance of RoPA in the event of a data breach, as it provides regulators with a snapshot of the organization's data handling practices. The paragraph also encourages viewers not to be intimidated by the process and to view RoPA as an evolving document that grows with the organization.

05:03

🔍 Creating and Managing Your RoPA

The second paragraph delves into the process of creating a RoPA, suggesting the use of questionnaires to gather information from various departments about their data handling practices. It advises against over-complicating the RoPA and recommends using simple templates, such as those provided by the ICO, to streamline the documentation process. The speaker also highlights the importance of engaging with stakeholders and ensuring the accuracy of the RoPA. Additionally, the paragraph discusses the need to simplify data categorization and stresses the RoPA's role as a living document that must be regularly updated to reflect changes in data processing activities.

10:04

🗓 Keeping Your RoPA Up-to-Date

The final paragraph focuses on the ongoing maintenance of the RoPA, emphasizing that it is not a static document. It discusses the importance of updating the RoPA to reflect changes in data processing, third-party relationships, and new data sets. The speaker suggests two approaches to keeping the RoPA current: either by systematically updating it with every change or by setting a defined review period, such as quarterly or annually, to reassess and revise the document. The paragraph concludes by reminding viewers of the importance of accuracy and currency in the RoPA and invites any questions they may have, providing contact information for further assistance.

Mindmap

Keywords

💡ROPA

ROPA stands for 'Record of Processing Activities', which is a crucial requirement under Article 30 of the GDPR. It is a document that records all the activities related to the processing of personal data by an organization. The script emphasizes the importance of ROPA as a regulatory requirement and a tool for organizations to understand and manage their data processing activities.

💡GDPR

The General Data Protection Regulation (GDPR) is a regulation in EU law that focuses on data protection and privacy for individuals within the European Union. The script discusses ROPA as a requirement under the GDPR, highlighting its significance in ensuring compliance with data protection regulations.

💡Processing Activities

Processing activities refer to any operation or set of operations performed on personal data, such as collection, storage, and analysis. The script explains that ROPA should document all types of processing activities, including HR processing, marketing, and third-party processing.

💡Regulatory Requirement

A regulatory requirement is a mandatory condition imposed by a regulatory authority. In the context of the script, ROPA is a regulatory requirement under the GDPR, which organizations must fulfill to demonstrate compliance with data protection laws.

💡Personal Data

Personal data is any information relating to an identified or identifiable individual. The script discusses the importance of documenting how organizations process personal data and the need for transparency in these activities.

💡ICO

The Information Commissioner's Office (ICO) is the UK's independent authority responsible for upholding information rights and data privacy. The script mentions that the ICO or other regulators may request to see an organization's ROPA in the event of an incident or breach.

💡Data Breach

A data breach occurs when unauthorized individuals gain access to sensitive information. The script suggests that ROPA can provide regulators with a snapshot of an organization's data handling practices, which is important in the event of a data breach.

💡Templates

Templates are pre-designed documents that can be used as a starting point for creating specific types of content. The script advises using templates, such as those provided by the ICO, to simplify the creation of ROPA and ensure that all necessary information is collected.

💡Key Stakeholders

Key stakeholders are individuals or groups who have a significant interest or involvement in a project or organization. The script recommends engaging with key stakeholders across the business to gather information for the ROPA and ensure its accuracy.

💡Organic Living Document

An organic living document is a document that evolves and is updated over time to reflect changes. The script emphasizes that ROPA should be treated as an organic living document that is regularly reviewed and updated to reflect any changes in data processing activities.

💡Data Protection

Data protection refers to the measures taken to secure personal data and prevent unauthorized access or misuse. The script's main theme revolves around data protection, focusing on how ROPA helps organizations comply with GDPR and manage their data processing activities.

Highlights

ROPA stands for Record of Processing Activities and is a requirement under Article 30 of the GDPR.

ROPA can cause confusion, and organizations often get lost when discussing it.

The video aims to explain what a ROPA is, its importance, and how to build one for an organization.

ROPA is a way for an organization to document the processing activities it undertakes, including HR, marketing, and third-party processing.

There are two main reasons for ROPA: regulatory requirement and as an opportunity for organizations to understand their data processing.

ROPA provides a snapshot view of the organization's data handling and security measures.

Creating a ROPA is a timely process and should be treated as an organic, growing document.

There are tools and privacy management software available to help with creating a ROPA.

The ICO's website offers guidance and templates for creating a ROPA for both controllers and processors.

A questionnaire can be issued to all departments to gather information for the ROPA.

Key stakeholders should be involved in reviewing and updating the ROPA to ensure accuracy.

Avoid over-complicating the ROPA template to make it easier to manage and understand.

Batch similar data points together and create a key for easier documentation.

ROPA is an organic living document that needs to be updated as the organization and its processing activities change.

Systematic updates or defined review periods are recommended to keep the ROPA current.

The video provides tips on getting started with creating a ROPA and encourages viewers to reach out with questions.

Transcripts

play00:06

welcome back to the data protection

play00:07

diaries

play00:08

in today's video we are going to be

play00:10

talking

play00:11

about ropers so many of you may have

play00:14

heard

play00:14

the term ropa stands for record

play00:18

of processing activities and it's a

play00:21

requirement

play00:22

under article 30 of the gdp

play00:25

r now it is a topic that can cause some

play00:29

confusion

play00:30

and a lot of people that we speak to a

play00:32

lot of organizations we speak to

play00:34

do tend um to get a bit lost when we're

play00:37

talking about ropers

play00:38

and don't necessarily know where to

play00:39

start so in this video we're going to

play00:41

explain what a rope it

play00:43

is why it's important and of course how

play00:46

you can start to build out your own rope

play00:49

for your own organization if you find

play00:51

this content

play00:52

interesting if you find this video

play00:54

useful please do

play00:56

like subscribe to the channel and

play00:58

comment down below

play01:00

if you're already subscribed make sure

play01:01

you hit the notification bell

play01:03

and you'll be informed when we release

play01:05

new videos and of course if you're new

play01:06

to the channel

play01:07

please do make sure that you subscribe

play01:09

because we are very close to reaching

play01:10

500 subscribers

play01:12

but for today let's get on with the

play01:14

video so what is a roper

play01:16

so a roper is a record of processing

play01:19

activities

play01:19

now this is a requirement for many

play01:22

organizations

play01:23

under article 30 of the gdpr

play01:26

there are some exceptions where

play01:28

organizations are exempt

play01:30

but we're not going to go into those

play01:31

today we're just going to focus

play01:33

on the roper and why it's important

play01:35

europa

play01:36

is exactly what it says on the tin it's

play01:39

a way for

play01:40

your organization to display and

play01:43

document the processing activities

play01:46

that it undertakes now when we're

play01:48

talking about

play01:49

processing activities that could be hr

play01:51

processing it could be marketing

play01:54

it could be third-party processing

play01:57

any kind of activity where you are

play01:59

processing personal

play02:00

data should be documented within your

play02:04

record of processing activities there

play02:07

are two main

play02:08

reasons for this the first is of course

play02:10

that it's regulatory

play02:11

requirement and that's an important part

play02:14

of this process

play02:15

but the second is actually that the

play02:16

roper is a fantastic opportunity

play02:19

for your organization to understand what

play02:22

information it is processing

play02:24

who it is sharing that information with

play02:27

what the purposes are

play02:29

but also how long you look to keep that

play02:31

information for

play02:32

and what security you have around it

play02:36

it's very likely that if you have an

play02:37

incident or a breach

play02:39

that the ico or the regulator in your

play02:41

country is going to ask

play02:43

to see your record of processing

play02:45

activity because it gives them a

play02:46

snapshot view of the organization

play02:49

what kind of information you're holding

play02:51

what kind of controls you have in place

play02:52

and how long you intend to keep that

play02:54

information

play02:55

for so think of it like a like a window

play02:58

on the organization

play02:59

it's a way of seeing what goes on

play03:02

quickly

play03:03

and easily so that organizations and

play03:05

regulators can make decisions

play03:07

without having to go into too much

play03:08

detail so the first thing to consider

play03:11

when you are looking at creating a

play03:12

record of processing activity

play03:14

is do not be afraid don't shy away from

play03:18

it and don't think that it's so

play03:20

complicated that it's going to be too

play03:22

hard for you to do

play03:23

and put it on the back burner i'm not

play03:26

saying that it's

play03:27

easy to do and it is going to take time

play03:30

and it is going to take effort and

play03:32

buy-in from the organization

play03:33

but it is a very very useful tool and at

play03:36

the end of the day

play03:37

it's something that you have to do so

play03:39

the first thing to remember is that this

play03:41

is a timely process so it's not

play03:44

something that you're going to be able

play03:45

to do

play03:46

instantly it is going to take you a

play03:48

little bit of time

play03:49

but this is an organic growing document

play03:52

so this isn't something that you do and

play03:53

then leave

play03:54

this is something that you do and then

play03:56

continue to iterate on

play03:57

throughout the years to come so when you

play04:00

look at it from that perspective

play04:02

and treat it as something that needs to

play04:04

be grown you start to realize that it's

play04:06

not as burdensome as you first might

play04:07

have thought so you've made the decision

play04:09

that you now need to start documenting

play04:11

your record of processing activities

play04:13

and you want to find out the best way to

play04:15

do that

play04:16

so there are a number of options that

play04:18

you have there are obviously tools out

play04:20

there

play04:21

associated with some of the privacy

play04:22

management software and these tools can

play04:25

be very effective

play04:26

and can be a very quick way of collating

play04:28

and collecting

play04:29

a lot of information in a short space of

play04:32

time

play04:32

so there's definitely options out there

play04:34

and i would recommend that you go and

play04:36

look at those

play04:37

the other options if you don't have the

play04:39

money and you're not looking to invest

play04:41

in technology

play04:42

is to make sure that you're finding easy

play04:44

to use

play04:45

simple templates my advice is to go and

play04:48

have a look on the ico's website

play04:50

and you'll see that actually they have

play04:52

good detailed guidance around

play04:54

creating a record of processing activity

play04:56

and they also provide you with templates

play04:58

for both controllers

play04:59

and for processes the templates aren't

play05:02

particularly complicated

play05:04

they're easy to use and it's easy to

play05:06

understand what information you should

play05:08

be collecting

play05:09

and from what department next stage is

play05:12

to start finding out what

play05:14

information exists within your

play05:16

organization

play05:17

so that you can populate your record of

play05:20

processing activity

play05:21

there are of course a number of ways

play05:23

that you can do this

play05:24

you can try and do it off the top of

play05:26

your head and start trying to document

play05:28

the things that you think you know

play05:29

but that's not recommended the best

play05:32

thing that you can do

play05:33

is devise a questionnaire that can be

play05:35

issued out to all departments across the

play05:37

business

play05:38

and is essentially asking them what

play05:40

department they're in

play05:41

what categories of information they're

play05:42

holding what they use that information

play05:45

for how they protect that information

play05:47

and how long

play05:48

they keep it for but issuing a simple

play05:51

questionnaire

play05:52

out to various parts of the business

play05:55

will allow you to collate a lot of

play05:57

information in a much shorter space of

play05:59

time

play06:00

once you have that you can start putting

play06:02

that into your template or into your

play06:04

tool

play06:05

but then my recommendation is that you

play06:07

start going back out

play06:08

meeting those key stakeholders going

play06:11

through the information that they've

play06:12

provided

play06:13

and making sure that you're creating an

play06:15

accurate record of processing

play06:17

and filling in all of the requirements

play06:19

either on your tool

play06:21

or on your template very often

play06:24

when you actually start talking to

play06:25

people and you sit down with them

play06:27

there's always going to be things that

play06:30

they've neglected to write down because

play06:31

it just didn't pop into their head but

play06:33

when you get people moving through the

play06:35

processes

play06:36

you'll start to find that actually

play06:37

there's probably more

play06:39

processing going on than maybe they

play06:41

thought there was in the first place the

play06:43

next thing to remember

play06:44

is that when you're creating your record

play06:46

of processing activity

play06:47

when you're creating your template don't

play06:50

try and

play06:51

over complicate it we have seen some

play06:53

templates

play06:54

that are columns and columns and columns

play06:57

long

play06:58

have lots of additional boxes categorize

play07:01

every

play07:02

single piece of information

play07:04

independently so line by line by line

play07:07

name address telephone number email

play07:09

address postcode

play07:10

all of these different things are

play07:12

separate lines of data

play07:14

it is tempting to do that but it does

play07:17

make it

play07:18

much more complicated and much harder to

play07:21

manage

play07:22

my suggestion is that you actually start

play07:24

to batch that stuff down

play07:26

so that you can create yourself a key so

play07:28

for instance

play07:29

contact details contact details could

play07:32

include

play07:33

email address posted address mobile

play07:36

telephone number

play07:37

and if you have a key either on a

play07:39

separate tab of your spreadsheet

play07:41

that explains what is covered by contact

play07:43

details

play07:44

it's then much easier to document it in

play07:46

your main

play07:47

record of processing activity by just

play07:50

saying hr

play07:51

contact details rather than having each

play07:53

individual item

play07:55

logged within the within the actual

play07:56

broker itself

play07:58

this way it is easier to manage it's

play08:01

much easier for people to read and for

play08:03

people to consume

play08:04

and of course you still have the key in

play08:06

the background that details

play08:08

what those specific items mean it's all

play08:12

about making it accessible

play08:14

making sure that it's easy for people to

play08:15

understand and easy for the organization

play08:18

to use

play08:19

if you can do that and you can do that

play08:20

effectively you will find that people

play08:22

are going to be much more inclined to

play08:24

help you

play08:25

are much more inclined to fill in the

play08:27

rope when they're turned cut the final

play08:28

thing to remember when you're creating a

play08:30

roper

play08:31

is that as we discussed at the beginning

play08:33

of this video

play08:34

this is an organic living document

play08:38

this document is going to be updated

play08:41

from time to time

play08:42

things within your organization are

play08:44

going to change

play08:46

third parties are going to change

play08:48

organizations that you share

play08:50

data with are going to change you're

play08:52

going to introduce

play08:53

new data sets you're going to introduce

play08:56

new processing activities

play08:59

these things need to be included within

play09:02

your record of processing activity now

play09:05

you really have two choices here you can

play09:08

try and do that

play09:09

on a systematic basis every single time

play09:13

you change

play09:13

a processing activity which is obviously

play09:16

the recommended way

play09:17

but if you're in a large organization

play09:19

that is likely

play09:21

to be very difficult because there's a

play09:23

lot of information

play09:24

a lot of changes going on and you'll be

play09:27

forever chasing your tail

play09:29

this is more possible if you are using a

play09:32

platform or a software management tool

play09:35

because some of these tools will allow

play09:36

you to feed in

play09:38

contracts and review processes that will

play09:40

automatically

play09:42

populate a roper so that can be a good

play09:44

way of doing it in a larger organization

play09:48

the other option is to make sure that

play09:50

you have a

play09:51

defined review period be that

play09:54

quarterly six monthly or annual

play09:57

that you reissue those questionnaires

play10:00

back out to the

play10:01

key stakeholders or that you invite

play10:03

those key stakeholders

play10:05

to come have a meeting review their

play10:07

sections of the rover

play10:09

and let you know if there have been any

play10:11

changes and

play10:12

update the roper that way the main thing

play10:15

is that you do not

play10:16

think that this is just a static

play10:18

document and that once you have created

play10:20

your rope

play10:21

you never need to look at it again

play10:23

because that is not the case

play10:25

it needs to be updated it needs to be

play10:27

fresh and you need to make sure that

play10:29

everything is as accurate as it possibly

play10:32

can be

play10:33

as always this is a fairly succinct

play10:36

view on the world there's a lot more

play10:39

that can go into

play10:40

creating a robot but i hope that this

play10:41

will give you some sort of tips to get

play10:43

started

play10:44

if you have any questions please do

play10:47

contact us

play10:47

and obviously the email address and the

play10:49

website running across the bottom of the

play10:51

page

play10:52

and you will also find it at the end of

play10:53

this video for now

play10:55

thank you very much for watching if

play10:56

you're not subscribed please do make

play10:58

sure that you subscribe and as always

play11:00

let us know if you have any questions

play11:02

thanks very much

play11:15

you

Browse More Related Video

Your Personal Data Inventory Top Tips & Brexit Impact 161220

GDPR Compliance Journey - 04 Processing Activity Record

Data Inventories and Data Maps: The Cornerstone to GDPR Compliance

Data inventarization according to GDPR

GDPR Compliance Journey - 14 Process Documentation

The Data Flow Mapping Tool – the quick and easy way to document personal data processing

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
GDPR ComplianceData ProtectionROPA GuideRegulatory RequirementOrganizational ToolPrivacy ManagementInformation SecurityData ProcessingRecord KeepingCompliance Tips