Remember the first day of school when you were a kid, and the teacher handed out a sheet of paper with class rules, supplies needed, and study requirements? Excellent students followed those instructions (known as a syllabus) to a T and received an ‘A.’ Bad students didn’t pay attention, lost, or threw it away and failed. Meanwhile, most students read the syllabus with the best intentions but maybe didn’t always follow it to the letter.
Now, suppose the syllabus is a set of rules and regulations for your business.
A few years ago, the European Union handed out a sort of syllabus regarding electronic data and privacy law – known as the General Data Protection Regulation (GDPR). Included in those regulations was a section called Article 30, which specifically addressed the requirement of maintaining a Records of Processing Activities (referred to as a ROPAs).
In the US, there are no specific requirements under Article 30. Instead, privacy laws require having a business purpose for processing data. This includes obtaining consent for using sensitive data, data minimization and retention requirements, and determining if data is sold, among other obligations. Companies can adjust their ROPA to help them document the data flows. Without this documentation, companies will have a hard time complying with all the US privacy requirements.
So, the question becomes, what kind of student is your company? Are you following the rules and regulations to a T? Are you destined to fail? Or, like most, are you trying but need some help?
The answer could have major implications for your business. But there is no need to panic, and we are here to help.
What is ROPA?
As previously stated, a ROPA refers to a record of processing activities. And under privacy law – including all structures of Article 30 – that means, in part that “a controller must maintain a record of processing activities (ROPA) under its responsibility,” including “all categories of processing activities.”
A ROPA includes detailed information about the types of personal data being processed, the purposes of processing, data retention periods, and data sharing practices and other required fields. A ROPA maintains transparency and accountability regarding data processing activities.
Records must be kept in writing, including in electronic form. Processing isn’t limited to the collection of personal data, but its definition also covers the data stored in data assets.
Article 30 of the EU General Data Protection Regulation (GDPR)
Not ALL companies that process personal data are bound by Article 30. There are some exceptions to its rules.
Emergence of ROPA
General Data Protection Regulation was passed in the European Union in April 2016 and enacted in May 2018. Since then, other nations and states have begun to pass their own versions of the law. There are currently 14 state privacy laws in the United States.
But a ROPA should not just be viewed as something just to be done legally. In fact, a ROPA can help a business gain significant insight into its data management capabilities and practices. A ROPA can not only show compliance but also identify privacy risks and data insights within your business.
Expansion of ROPA globally
Due to the growth of privacy laws, organizations across the US and the globe have undertaken the process of performing a ROPA – and found its usefulness beyond legal measure. That is why ROPA has become more common, as companies discover its usefulness in helping to establish:
- Business purposes – A ROPA helps organizations to recognize if the data being collected has any value to the business. It can also allow the business to create policies, such as privacy notices.
- Redundant data discovery – Accurate and updated records of processing activities help you to identify redundant data and see what may be purged.
- Data Subject Request fulfillment – A ROPA helps you access all the information your organization requires to promptly and efficiently handle data subjects’ requests.
Who needs to maintain a ROPA?
We already discussed that sustaining a ROPA typically falls on data controllers and data processors. However, you should also make a complete list of who is accountable for personal data processing within key business functions. This may include departments as varied as:
- Human Resources (employment & recruitment data)
- Sales & Marketing (customer/client data)
- Procurement (supplier data)
- Finance, IT, and Operations
Each person in charge of these roles should understand their responsibility in data gathering and maintenance.
What information should a ROPA include?
The baseline information incorporated in a ROPA must include:
- Details, including the name, contact information of the data controller/processor, the controller/processor’s representative, and their respective data protection officers. Processors should name each controller for whom the processing is done. Joint controllers should also be identified.
- The purposes of data processing
- Categories of processing activities that are carried out for each controller
- The categories of current or future recipients of personal data
- Categories of data subjects and of personal data
- Cross border data transfers, and if appropriate, noting what safeguards are in place
- Data retention schedules, noting period for erasure
- General description of technical and organizational security measures
In addition, data protection authorities and industry experts hold that an effective ROPA also contains or links to documentation covering:
- The legal bases for processing (GDPR Article 6)
- The six bases are:
- Consent
- Contract Necessity
- Legal Obligations
- Vital Interest
- Public Tasks
- Legitimate Interests
- Sensitive Personal Data: Article 9 prohibits the processing of sensitive data unless one of the listed scenarios applies.
- Certain uses of data are exempt from Article 6 and have their own legal bases for processing listed in Article 89 and Recital 156
- The six bases are:
- Controller-processor contracts
- The storage locations of personal data
- Cross Border Transfers: transfer mechanism used
- DPIA reports
- Records of any breaches
- An explanation of data retention practices
Maintaining a ROPA requires expertise, vigilance, discipline, and time. So, if you are looking to sustain a ROPA, please consider taking these steps:
- Data mapping: Do you identify all personal data being processed, including the data’s origin, flow, and purpose of processing?
- Documentation and updates: Do you maintain detailed and up-to-date records of processing activities? Do you link to other relevant documents such as Data Protection Impact Assessments (DPIAs) or relevant contracts?
- Data minimization: Do you ensure that only necessary personal data is collected and processed? This reduces the risk of data breaches.
- Findings Mitigation Plan: do you have a plan to effectively turn your findings into an actionable process, including mitigating risky processing behavior?
- Employee training: Before creating a ROPA, do all relevant parties understand the scope of the questions asked and the meaning of important legal concepts? For example, ensure employees understand what sensitive data is in the relevant jurisdiction. After the ROPA, ask: Do you provide regular privacy and data protection training to employees?
We recommend utilizing our Data Inventory Excel Template to enhance your data management practices. This template has sample processing activities to help get you started on what to document, along with a list of fields you need to document for a complete data inventory.
How often should I update the record?
Your organization should update a ROPA annually or when significant processing changes occur.
Predictions for the future of ROPA and data regulations
As more and more states and nations pursue privacy and data law, the role of a ROPA takes on added significance.
We know that seven more states are set to enact comprehensive privacy law legislation soon, including Texas, Florida, and Montana in 2024, Tennessee and Iowa in 2025, and Oregon and Indiana in 2026.
These laws represent continued leaps forward in the changing philosophy regarding data privacy protection in the United States. And that is why it is essential to know what that means for you and how you must address the data flowing through your organization.
This is how you uphold a privacy program. This is how you uphold a privacy program. These programs must be completed and updated regularly, requiring dedicated and knowledgeable personnel. Unfortunately, hiring this type of staff or paying for their positions is not always easy. The good news is that there are options that will help you meet all of your privacy program requirements while staying within your budgetary requirements.
RCA Can Help
Are you the type of student who’s already on it? Do you know the syllabus inside and out and are ready to go? Or are you a student who knows how much work must be done but wonders if you are ready for the challenge?
At Red Clover Advisors, we know that syllabus and the teachers themselves. We make it our job to offer that expertise to you and make it actionable for your benefit.
So, if you need help establishing and maintaining a ROPA – or any form of data privacy and compliance – we are ready for you. From startups to Fortune 500 companies, we have a proven record of partnering with organizations to help them ensure all manner of privacy compliance, including ROPA.
Our certified privacy professionals (CIPP/US/E/A), data analytics, data governance, and privacy legal expertise integrate all the practitioner-level knowledge required to deliver sustainable privacy program outcomes.
To learn more, schedule a call with Red Clover Advisors today!