In my recent blog post titled “How long is a piece of ROPA?” I went through how ROPA can work for you and stated that the ICO had not issued any vision or templates as yet.
I now stand corrected as it would appear templates do exist, the ICO just didn’t tell anyone which they have now done so. You can find the template the ICO issues under the ‘documentation’ section of the GDPR guidebook on the ICO’s website.
However, I wouldn’t feel rest assured just yet. Having looked at the templates issued by the ICO they come with a few issues.
Firstly, the positives. So everything I outlined before that should be in there is in the ICO templates. Including referencing if and when an incident occurs against that record/asset. The template also asked for any and all legal basis for processing, even for capturing where there are data flows oversees that your legal gateway for the international data transfer for that record & purpose is also captured.
So from a validation of what I’ve been saying, it ticks all the boxes and then some.
I don’t want to call them negatives, so for this purpose, I shall call them ‘limitations’.
The first being that the template is in excel. Excel for all its usefulness and brilliance is incredibly restrictive to use for information and asset management. If you are a small non-complex organisation then this will do the job for you perfectly well, but anyone larger will struggle. As many of you know that has ever tried to map information flows in a complex organisation it can be as complex if not more so than the organisation itself. Trying to capture that complexity in excel, so that it actually becomes useful and not just a dump of record types, is going to be difficult.
While I can’t, or wouldn’t, put words in the ICO’s mouth I would use the template issued by them simply as a reference point. Whatever system or method you develop to map, document and manage your personal data ongoing then ensure that everything in the template is in your solution.
Secondly, the ICO template does capture a lot more than the requirements outlined in Article 30 of the GDPR. Personally, I don’t see this as a limitation. Going back to what I’ve been saying that I see ROPA as your core part of your GDPR compliance then having more detail in their makes logical sense. However, a number of people I have spoken with have either been confused by it or put off by what it’s asking for and fall into that misconception that Article 30 is a big beast to try and manage.
I do recommend taking the ICO’s template as your starting point. It does give you a good reference for what the ICO will want to see if and when they come knocking and it also gives you an idea of the things you need to get a grip on in order to make ROPA work for you, not against you.