Completing a ROPA

Compliance with data protection regulations in the EU is framed around a number of guiding principles which lead an organisation to take accountability for the data that is the custodian of.  Accountability requires an organisation to be able to demonstrate how it meets the data protection principles and demonstration invariably means building a body of evidence.

Key to evidencing data protection compliance is embedded policy, robust procedures and a firm knowledge of where the risks lie and a plan for managing them.  So, whilst a record of processing activities (ROPA) is not mandated for all organisations within EU law, it certainly seems sensible that an organisation should understand the data it processes and where any risks reside in the processing activities.

This is how a personal data management system (PDMS) can help.  ProvePrivacy makes the understanding of data risks easy because it starts from the presumption that you, as a business know the activities you undertake to run your business.  So rather than a complex data mapping exercise, instead you simply list the activities which each department does and notes what personal data is processed as part of those activities.

Activity Assessments

Understanding activities is based on business departments, e.g. resourcing, finance or direct marketing. The ideal way to approach this is to assign data champions in each department.  It doesn’t have to be senior management, but it is often best if it is someone who can later take some responsibility for data compliance within the department.  The data champion should be someone who knows how the department works and where any personal data concerns may be hidden.  Whilst automated data mapping tools are available, these may be flawed.  Tools map data and not activities and data often resides outside of the network, for example on paper, USB drives, cloud services and in other organisations, so running a tool is likely to miss a fair proportion of your data processing,.  In addition these tools will not inform you how data is used and are unlikely to link personal data to a business department.

It is recommended that you identify an activity and split understanding it into phases.  Once you know about an activity which processes personal data, it is only a few more steps to determine how it is collected, stored and shared.  For most organisations understanding all activities in detail can be challenging, which is why ProvePrivacy allows the data champion to complete only what they know, and return to the process at a later stage when they have been able to determine more.  For example, it may be better to delay understanding how long data is retained in a department until a subject matter expert can be consulted on a number of activities.

The different assessments which need to take place on each activity are; transparency, understanding if the activity is covered in the organisations privacy notice.  Lawfulness, determines the basis upon which the data is processed which is more significant if the data is of a sensitive nature.  If the lawful basis is legitimate interest then a further assessment should evidence that this is compelling.  A high risk data usage assessment will help the organisation determine if a data protection impact assessment should be undertaken to help reduce the risk to the data subjects.  The data management assessment determines where data is stored and for how long, helping the organisation determine its data retention policy.  Finally, a data sharing assessment provides a solid assessment of data processor/controller relationships, assessing the contract, data sharing agreement or the safeguards surrounding an international data transfer.

A robust set of activities will be more granular and split into multiple activities, for example activities surrounding obtaining CVs may include:

  • CVs emailed,
  • CVs via a company website
  • Thos from a job agency
  • Emails to different internal people; and
  • Paper CVs posted

An activity for each is likely to yield a richer view of the risks within the organisation, for example where are CVs stored if they are emailed into multiple people?

Building a full list of activities and their risks should be an iterative process and an ongoing process.  You will need multiple discussions with a wide range of people and the activities will change over time. 

Here is some of our advice when addressing your activities:

  • Establish at least one data champion per department, this allows an in depth knowledge to be developed creating a natural point in the department to help resolve future issues.
  • Ensure that you have an internal escalation point for advice, if you don’t have this internally, ProvePrivacy can assign you to one of our Partners to provide advice when it is required.
  • Find the right people to discuss things with – the data champion will need to talk to more than one person in the department to understand the full picture.
  • Use the questions in ProvePrivacy to lead your investigation and do assessments on multiple activities at once.
  • If one of our assessments indicates an activity should be referred, include a reasoned rationale so that the activity can be assessed in the context of the organisation.
  • If one of our assessments indicates an activity has failed, it is highly likely that you will need to change the way the activity is run and in most cases, it should be halted until it passes.
  • If you do rely on data search tools, reverse engineer the data discovered to determine the processes where data is used.
  • Find the Personal Data Issues – don’t forget paper records, archive systems (both online and offsite physical storage) and activities originating from outside of your department or organisation.
  • Do not try to do all contract reviews in a short period of time, you will need to work with suppliers and their timescales.
  • Be prepared to reassess your current data sharing relationships, if a supplier is not willing to work with you to have a compliant contract or secure relationship then you should consider a different supplier.
  • Once you have determined the organisations inherent risks, put in place a measured action plan.  Not all issues will be able to be resolved at once, take a risk based approach and prioritise risks.
  • Use what you have learned throughout to revise your privacy notices, and don’t forget your staff privacy notice too.