ROPA Process: Step-by-step guide

At a glance

• Article 30 of the General Data Protection Regulation (GDPR) requires that all data controllers create and maintain detailed records of processing activities, otherwise known as ROPA.
• Any company with 250 or more employees must complete the ROPA process, as required by GDPR Article 30.
• Regardless of size, a company must complete a ROPA when their data processing is “not occasional,” may threaten a data subject’s rights or freedoms, or is relevant to a criminal conviction or offense.
• Using an automated data mapping platform to streamline the ROPA process is recommended. Manually maintaining an up-to-date record of all tools and systems that process data is difficult and time-consuming—often becoming unsustainable in the long term.

Table of contents

• Introduction to the ROPA process
• What is GDPR Article 30?
• What is a record of processing activities (ROPA)?
• How to complete the ROPA process manually
• Using automated data mapping tools for ROPA creation

Introduction to the ROPA process

Records of processing activities (ROPA), a subset of data mapping, are required by Article 30 of the EU’s General Data Protection Regulation.

Complete ROPA must document a variety of information: data and data categories being processed, purposes of processing, and much more. Creating and maintaining these records can be a complex process.

In fact, 50% of companies will need over a year to discover all data systems and organize them into a unified data map.

Below we’ll define GDPR Article 30 and ROPA, walk through Article 30 requirements, explore the data that must be included in a ROPA, and consider why automating the process is so important for effective privacy compliance.

What is GDPR Article 30?

Article 30 of the General Data Protection Regulation (GDPR) requires that all data controllers create and maintain detailed records of processing activities (ROPA).

GDPR Article 30 states that:

• Data controllers must “maintain a record of processing activities under [their] responsibility.” (See the next section for more detail on what information a comprehensive ROPA should include.)
• Data processors must “maintain a record of all categories of processing activities carried out on behalf of a controller.”
• Each of the above records must be made available digitally and in writing.
• ROPA records must be made available upon request.

Who does GDPR Article 30 apply to?

Maintaining ROPA is one of the few rules within the GDPR that offers an exemption, albeit a small one.

Only organizations with over 250 employees must provide ROPA documentation, while companies with fewer than 250 are exempt. That said, this exemption does not always apply (exemptions to an exemption!).

If a business’s data processing activities:

• May threaten the freedoms or rights of the data subject
• Pertain to a criminal conviction or offense, or
• Are “not occasional”

Then the Article 30 ROPA requirement stands, even if a company employs fewer than 250 people.

That final point should catch your attention most. In this day and age, a company that’s processing personal data is likely doing so on more than an “occasional” basis.

Combine this with the fact that Article 30 offers no further clarification on what “not occasional” means, and there’s really only one good option—ere on the side of caution and complete compliance.

If your company processes personal data on a consistent basis and markets or sells products/services to citizens of the EU, strongly consider creating your own ROPA.

Against the backdrop of increasing enforcement and massive fines for GDPR violators, it can only help your business in the long run.

Additional resources

• ICO Guide to Article 30
• The Complete Guide to GDPR
• GDPR Article 30

What is a record of processing activities (ROPA)?

ROPA stands for record of processing activities and is required by GDPR Article 30. Complete ROPA will document all data processing activities, as well as all categories of data processing activities.

For a data controller, GDPR Article 30 requires that ROPA include:

• Documentation of data being processed
• Documentation of the categories of data being processed
• The data controller’s name and contact details
• Purpose of processing i.e. why the data is being processed
• Categories of any data recipients
• Categories of data subjects and personal data
• Documentation on personal data transfers to international entities or third countries
• A time frame for data erasure
• Information on data security measures

For a data processor, Article 30 applies many (though not all) of the same requirements. Data processor ROPA must include:

• Documentation of data being processed on behalf of the controller
• Documentation of the categories of data being processed on behalf of the controller
• The data processor’s name and contact details
• Documentation on personal data transfers to international entities or third countries
• Information on data security measures

Vocab check - Data controllers decide how their organization will process personal data, therefore they are held to a higher standard in the eyes of the GDPR. Data processors, on the other hand, enact the decisions data controllers make. This means they are beholden to similar rules, but don’t hold the same responsibility.

How to complete the ROPA process manually

Using a data mapping tool is far and away the fastest, most efficient way to create an accurate ROPA report.

However, not all companies required to create ROPA have a data mapping platform already, so here’s the general process for manually creating and maintaining ROPA documentation:

1. Create a brief to share with leadership on the importance of complying with GDPR Article 30 (including data on potential penalties), and the steps your organization must take in order to create your ROPA report.
2. Set meetings with the head of each team within your company in order to begin defining and documenting data processing activities across the organization.
3. During or after your initial meeting, send each team lead an assessment requesting the specifics of each data system and relevant processing activities.
4. Collate your findings into a document that is available digitally and in writing.
5. Very important! Develop a process for continually updating and maintaining these records. To be compliant, a ROPA must include all systems and tools that engage in data processing–so if the marketing team gets a new email tool, you’ll need to know about it to ensure your ROPA is up-to-date.

If your organization is too large to enact a comprehensive data mapping protocol in one go, it can be helpful to start the process within a single unit. Test out the process with one team, iron out any hiccups, and then continue to move strategically throughout the rest of the company.

To learn more about automating this process explore Transcend Data Mapping.

Important ROPA data types

As GDPR Article 30 requires that ROPA include a full list of data and data categories being processed, the chart below outlines some of the data types companies should consider when creating their ROPA. companies should consider when creating their ROPA.

Benefits of using data mapping software for ROPA creation

Data mapping and ROPA creation are complex processes.

Company data is distributed across connected cloud services and internal databases–spanning structured and unstructured file types, documents, images, and mail.

Creating a unified view of the personal data processed by your organization across such disparate systems is challenging, to say the least.

Automated data mapping software provides significant benefits for organizations who deal in large quantities of personal data: better visibility, simplified compliance, and freed up resources.

Unified visibility

Automated data mapping tools provide a live view of your company’s data, enabling comprehensive visibility into any personal data being processed. When a service or third party vendor is added or changed, data mapping software automatically detects the update and populates that record into your map without manual intervention.

Simplified compliance

GDPR does not require companies to preemptively submit ROPA documentation. However, the records must be made available upon request. So, if up-to-date ROPA documentation is unavailable when a request comes, your organization may be held liable.

With data mapping software, your ROPA is always up-to-date, always available, and easy to export e.g. downloadable as a csv–reducing organizational risk and simplifying Article 30 compliance.

Freed up resources

Data mapping software enables a centralized hub that keeps tabs on:

• New systems added and the categories of personal data they contain
• Owners and completion status for every data record
• Database changes that may impact data flow

By minimizing the amount of manual work, data mapping software limits human error and frees up your teams to focus on core responsibilities.

Conclusion

From understanding your obligations as a data controller or processor, to including the right data in your ROPA, to ensuring your records are up-to-date–navigating Article 30 requirements and ROPA creation can be complex.

However, with the right tools your organization can simplify these workflows, supporting better visibility, resource use, and long-term Article 30 compliance.

About Transcend

If your organization has been impacted by the Article 30 ROPA requirement, Transcend can help. UseTranscend Data Mapping to discover your company’s data silos, classify personal data, and auto-generate reports – all in an easy-to-use, collaborative platform.

Power your company’s regulatory compliance with actionable data governance suggestions based on your real-time data map. Transcend is the first and only data mapping tool that ensures the systems discovered in your data map are seamlessly included in user deletion, access or modification request workflows.