The records of processing activities (RoPA) are an essential component of the General Data Protection Regulation (GDPR). It is the centrepiece of the data protection management system (DSMS).
It serves as proof of the legally compliant implementation of the data protection principles of the GDPR and as proof of the measures taken to ensure the security and confidentiality of personal data.
Why is a records of processing activities required?
The RoPA is important for several reasons and is therefore required by law:
- Transparency: The RoPA serves to create transparency about the processing of personal data within an organisation. This makes it possible to understand how and for what purpose data is processed and who receives it.
- Accountability: The GDPR places great importance on accountability. The RoPA shows that the company takes its data protection obligations seriously and documents and proves them accordingly.
- Risk management: An up-to-date RoPA helps to identify, assess and prioritise data protection risks. This in turn facilitates the planning of risk minimisation measures.
- Fulfilment of legal requirements: Maintaining a RoPA is an explicit requirement of the GDPR for companies and is therefore essential to avoid legal sanctions.
- Fulfilment of data subject rights: Every natural person (customer, employee, etc.) has a right to access, erasure, rectification, etc. The RoPA provides answers to questions about the processed data.
- Data protection incidents: In the event of (suspected) data breaches, there is an obligation to inform the data subjects and to notify the data protection supervisory authority. In order to be able to assess which data is affected in which systems and at which processing step the data protection incident occurred, a well-managed RoPA is essential.
Steps for creating and maintaining a RoPA
The creation and maintenance of the RoPA is an ongoing process that should be carefully planned and implemented.
The basic steps for creating a RoPA are
- Definition of responsibility: It must be determined who within the organisation is responsible for creating and updating the directory. These are usually so-called process owners of the departments and divisions or for systems, etc.
- Recording of processing activities:
- Purpose of data processing
- Categories of data subjects
- Types of data
- Recipient of the data
- data transfers to third countries, if applicable, and the
- Storage and deletion periods provided for
- Assessment of the legal basis: A legal basis must be determined and documented for each processing activity in accordance with the GDPR.
The legal bases are:
- consent of the data subject
- fulfilment of a contract and pre-contractual measures
- legal obligations or
- legitimate interest
In the case of the legal basis „legitimate interest“, the interest must be described from the company’s point of view and it must be demonstrated that the interest of the data subject does not outweigh this.
- Risk assessment and data protection impact assessment: A threshold analysis must be used to identify processing activities that may pose a high risk to the rights and freedoms of natural persons and, if necessary, a Data protection impact assessment must be carried out.
- Documentation and updating: The RoPA must be regularly reviewed and updated to reflect changes in processing activities or legal requirements.
- Provision: It must be ensured that the RoPA can be presented in a structured form on request, e.g. to an authority, a customer.
A RoPA not only offers legal protection, but above all and significantly contributes to transparency and process optimisation within the company. It also strengthens the trust of customers, business partners and employees in data protection practices. Irrespective of this, the RoPA is an indispensable basis for the fulfilment of data subjects‘ rights and for the processing and notification of data protection incidents.
Author: Regina Mühlich – I am at your disposal for any questions and information.
Do you have any questions on this and other topics? E-mail consulting@adorgasolutions.de.