How long is a piece of ROPA?

How long is a piece of ROPA?

Whenever I speak to someone about GDPR implementation the majority of people seem to overlook Article 30 and the Records of Processing Activities. And to be honest, I can see why.

At face value Article 30 of the General Data Protection Regulation (GDPR) requires organisations (both Controllers and Processors) meeting certain conditions to keep records about what personal data they are processing (including the hows and whys). This sounds very similar to what we record currently in the UK on our registrations with the Information Commissioner so should just be a tick box exercise.

I would, however, disagree.

According to the GDPR Article 30 (1) outlines that controllers are required to capture;

  1. the name and contact details of the controller and, where applicable, the joint controller, the controller's representa­tive and the data protection officer;
  2. the purposes of the processing;
  3. a description of the categories of data subjects and of the categories of personal data;
  4. the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
  5. where applicable, transfers of personal data to a third country or an international organisation, including the identifi­cation of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  6. where possible, the envisaged time limits for erasure of the different categories of data;
  7. where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Article 30 (2) the further outlines that processors are required to capture;

  1. the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;
  2. the categories of processing carried out on behalf of each controller;
  3. where applicable, transfers of personal data to a third country or an international organisation, including the identifi­cation of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  4. where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Point 3 states that the records should be electronic or written form, that it should be made available to the supervisory authority where requested (point 4) and you don’t need to have one if you employ fewer than 250 employees and your processing isn’t likely to result in high risks to the rights and freedoms of individuals (point 5).

As someone that’s currently working with various organisations on GDPR implementation if you don’t have more than 250 employees I still recommend you do the requirements of article 30 as, in my opinion at least, is the core of your GDPR compliance.

With any regulatory compliance regime you want to be able to have an overview of what you are putting in place and, with the limited resources you have available, focus in on the areas that are of genuine legitimate concern. The larger you are the more complex this becomes. But, if you have a good and robust record of your processing that evolves as the business evolves then it can be a tool to help you and not just a tick box exercise.

For me, I see an Information Asset register (IAR) and a ROPA type register being 2 elements of the same thing. Yes your IAR will have far more information in it than just personal data assets but the things it asks and looks at are very similar to ROPA. All you need to add in are fields around grounds for processing, any consent obtained, sharing arrangements and technical measures (plus possibly some more depending on how you do Information Asset Management in your organisation).

Once you have your assets and your data flows of where things are coming from, being used for then going to what’s to stop you then linking them to Privacy Impact Assessments? Or risks that are associated with those assets? Or even records of other controls you put in place like training for staff that use those assets, the policies that cover them or even the contracts and sharing agreements that may cover them.

“Record of Processing Activities” is such an off-putting name for something that, in my mind at least, is something that proves to be really useful to your compliance regime if you engage with it. Yes you can just get away with a word document that documents all this just as our current registration forms do, but why do tick box when you can do innovation and take ROPA for what it was meant to be, a way to manage all this and bring it together into something that works for you! So why not try to find ways to make this something that you can add to your toolkit of things to help you?

You can find all references to ROPA requirements in

  • GDPR Article 30
  • Data Protection Bill Part 3 (Law Enforcement) Chapter 4 Section 59
  • Data Protection Bill Schedule 1 Part 4 (32) (a)-(c)

2 Replies to “How long is a piece of ROPA?”

  1. Totally agree. As a storage services provider we are classed as a data processor for all our clients (touching and archive box is akin to processing it) so we have to create a record for every Customer as well as for our own data. – We also need to refresh all contracts with clients to ensure formal recognition of the relationship between us (they as data controller and we as processor).

    We also need to provide our clients with surety around who of their users has accessed what and when to provide them with compliance around record access,

    All in all GDPR adds cost at the start of the journey but ensures a level of best practice that provides more than just ticking a box.

    At Box-it we have always worked to safeguard client archives, often a client will insist on a generic user account (to save on cost and easier for them) but GDPR allows us to reiterate the value of knowing what individual users are doing around the records.
    Hooray for GDPR

  2. You actually make it appear so easy along with your presentation but I find this matter to be actually one thing that I feel I would by no means understand. It sort of feels too complicated and very wide for me. I am having a look forward to your next submit, I will attempt to get the grasp of it!

Leave a Reply

Your email address will not be published. Required fields are marked *