At the recent IRMS Public Sector Group event I was asked to come back and re-visit ‘the power of 3’ (as I call it). We had some really good discussion from a range of delegates on ROPA, Information Assets Registers, Retention Schedules and other and how useful they actually are in protecting data (Personal or otherwise).

What is the ‘Power of 3’?

The ‘Power of 3’ (as I call it), is combining data from your Records of Processing Activities (ROPA), Information Asset Registers (IARs) and Retention Schedules. Many organisations will have 3 separate ‘things’ for each one, and either don’t connect between the 3 or do, but it’s a very manual task. Others don’t even keep them separate and try to collate them together into one big ‘thing’.

Following on from my talks at the IRMS Info Rights and IRMS Public Sector Groups events last year (links to the recordings) I was invited back to revisit the concept of the Power of 3, and see where it was going in the context of the UK Governments proposals to change the UK GDPR/Data Protection Act 2018.

I’ve summarised some of the issues here for you and the recording of the event is at the very bottom below.

Challenges to ROPA?

I was, and am to this day I think, an advocate of mapping out what you have, why you have it, where you have it and what you are doing with it. This is a fundamental element of effective information handling, quality, security etc. It has all sorts of benefits and, indeed, since Article 30 of the EU GDPR was first approved, it has required organisations to actually take stock of what they have and ‘clear out house’.

ROPA has been fundamental in getting people to talk about IARs, retention and personal data. This is a fact. Everyone on the session all agreed, regardless of how you are going about it the requirement to document what you are doing has put these things on the map and has made organisations think about their data.

But, as we all agreed, maintaining a ROPA/IAR/other is not ‘fun’ or ‘exciting’ or even (dare I say) ‘sexy’. Therefore, rightly or wrongly, people in organisations find it a struggle to complete, a struggle to maintain, and a struggle to get any buy in for. Even members of our own profession can’t see past the time investment so write it off as a pointless exercise.

Many people at the event the other day even incorporate elements of ROPA into their IARs instead. So have already abandoned the idea of a separate ROPA but haven’t abandoned the idea behind ROPA. (And we all pretty much agreed that the ICO template ROPA was just an unmanageable beast of a thing and the ICO must have been smoking something when they put that out).

Talking of which, while I’m on my ‘ICO soapbox’, it also doesn’t help the ‘impression’ of ROPA when the regulator labels the guidance tab for it as ‘documentation’. Documentation? Like its some sort of pointless form you need to complete and keep on record. If the term ‘Records of Processing Activities’ wasn’t bad enough, even the Regulator gives it a name that sounds beurocratic.

I digress, back to the matter at hand!

Does ROPA therefore actually work?

I have to say that off the back of the Government’s proposal to overhaul Data Protection and take us in a new direction, it has made me think. Does ROPA (specifically Article 30 of the GDPR (EU or UK for that matter), actually help in the protection of Personal Data?

How does ROPA help a DPO (or members of staff) protect the Confidentiality, Integrity or Availability of Personal Data? Just because GDPR says we must have one, doesn’t mean by default it protects Personal Data. That was clearly evident around the room as people said whether or not their ROPAs actually added any value (see below polls results).

The concept or ‘idea’ of mapping out what you have, where you have it, in what format, where it comes from and where it goes to is incredibly useful.

Confidentiality – It can tell you where the likely threats and weaknesses are to your data. It can also tell you what bits of your data are indeed confidential. Your most sensitive processes and functions. Anecdotally you might know that, but can you say with 95% certainty you know where your most confidential data is but anecdotal evidence alone?

Integrity – It can tell you where you are reliant on ‘accurate’ data – either from an historical perspective or right here and how. It can also tell you where your data converges with other data and where, if left unchecked, can easily get ‘muddled’. Name me one person that off the top of their head knows each and every data quality point or transfer point?

Availability – It can tell you what is important. What should be available to staff to do their jobs because it is so confidential or so integral to the process. It can tell you where your weaknesses are in availability either through technology, duplication, remote working etc.

Does ROPA itself add value to the Protection of Personal Data? Well 78% of attendees said so, yes. However, that was on the concept of recording and managing your ‘processing activities’, not specifically on what Article 30 of the UK GDPR requires. So can I say that specifically Article 30 should be left alone by the Government because it is ‘imperative to the Protection of Personal Data’, I’m not sure that I can.

The future of ROPA:

The Government is clearly out for what they see as ‘red tape’. I suspect, and this is a personal opinion here, that no argument on the benefit of something like ROPA will get past their Brexit stuff ears. Therefore I strongly suspect Article 30, as we know it today, in the UK is likely to not exist for too much longer.

Of those asked at the PSG event, 53% of those that voted believed that ROPA should not be scaled down and 47% believing it should be. So it’s a mixed bag of support out there.

Personally, I think I can live with Article 30 being overhauled. It just depends on what it is overhauled with. Any ‘privacy management programme’ (which is what the ‘Data: A new direction seems to advocate), will need to map out and record what the programme actually covers for it to be effective. And the best way of scaling and managing any sort of management or compliance programme is to know what you are managing – which means keeping records of what you are doing and with what!

I therefore think the Government would be, short sighted, to not include some detail in any proposed ‘privacy management programme’ that includes the need to map out what you are doing with Personal Data. Otherwise the ‘programme’ is just for show, and potentially even more pointless than it was in the darkest days of the DPA 1998.

Do I think GDPR is the *only* way to protect Personal Data? No. Do I think that strong and robust controls are a way of protecting Personal Data, yes. Do I think ROPA (or anything like it that is just as useful) is in trouble for the UK, yes.

What can we do about it?

At the PSG event we had a really good discussion about the pros and cons of ROPA and the pros and cons of the concept of ROPA. We eventually agreed that this was a good discussion point and we should explore it further. So Elizabeth Barber and the IRMS have an action to explore a panel discussion on the future of ROPA and what it means. So watch this space!

As for the rest of us, I would advocate the following things we can do.

1. Share best practice. There were loads of comments about sharing how everyone does what they do with IARs, ROPA etc. You love to see it! Carry that on via the IRMS socialink website. Ask for best practice, share best practice, share what works! If you do what you’ve always done, you’ll get what you’ve always got. So try something else that someone else has, and see if that works for you.

2. Champion the concept. No, information mapping is not ‘sexy’, we try and make it so but it is a battle. But that doesn’t mean we can’t champion the idea behind ROPA etc. Small steps, encouragement and support wins the day. If they see us being despondent and unconvinced then how can we expect them to be convinced of its value?

3. Innovate. I said I wouldn’t champion a particular product on the session and I didn’t. We did however explore with people what systems and tools they used (other than excel). Both us and vendors of ‘solutions’ should continue to innovate. Create solutions that are simple, add value, support our work but also don’t cost the earth. Especially for those in the public sector where we are often left with using excel.

Note: All links were correct at the time of publication. The ICO, as one example, are terrible at managing links and content so if a link is broken please let me know via the details below and I will action accordingly.