Senior Content Marketing Manager II
May 6, 2022â˘6 min read
Records of processing activities (ROPA), a subset of data mapping, are required by Article 30 of the EUâs General Data Protection Regulation.
Complete ROPA must document a variety of information: data and data categories being processed, purposes of processing, and much more. Creating and maintaining these records can be a complex process.
In fact, 50% of companies will need over a year to discover all data systems and organize them into a unified data map.
Below weâll define GDPR Article 30 and ROPA, walk through Article 30 requirements, explore the data that must be included in a ROPA, and consider why automating the process is so important for effective privacy compliance.
Article 30 of the General Data Protection Regulation (GDPR) requires that all data controllers create and maintain detailed records of processing activities (ROPA).
GDPR Article 30Â states that:
Maintaining ROPA is one of the few rules within the GDPR that offers an exemption, albeit a small one.
Only organizations with over 250 employees must provide ROPA documentation, while companies with fewer than 250 are exempt. That said, this exemption does not always apply (exemptions to an exemption!).
If a businessâs data processing activities:
Then the Article 30 ROPA requirement stands, even if a company employs fewer than 250 people.
That final point should catch your attention most. In this day and age, a company thatâs processing personal data is likely doing so on more than an âoccasionalâ basis.
Combine this with the fact that Article 30 offers no further clarification on what ânot occasionalâ means, and thereâs really only one good optionâere on the side of caution and complete compliance.
If your company processes personal data on a consistent basis and markets or sells products/services to citizens of the EU, strongly consider creating your own ROPA.
Against the backdrop of increasing enforcement and massive fines for GDPR violators, it can only help your business in the long run.
Additional resources
ROPA stands for record of processing activities and is required by GDPR Article 30. Complete ROPA will document all data processing activities, as well as all categories of data processing activities.
For a data controller, GDPR Article 30 requires that ROPA include:
For a data processor, Article 30 applies many (though not all) of the same requirements. Data processor ROPA must include:
Vocab check - Data controllers decide how their organization will process personal data, therefore they are held to a higher standard in the eyes of the GDPR. Data processors, on the other hand, enact the decisions data controllers make. This means they are beholden to similar rules, but donât hold the same responsibility.
Using a data mapping tool is far and away the fastest, most efficient way to create an accurate ROPA report.
However, not all companies required to create ROPA have a data mapping platform already, so hereâs the general process for manually creating and maintaining ROPA documentation:
If your organization is too large to enact a comprehensive data mapping protocol in one go, it can be helpful to start the process within a single unit. Test out the process with one team, iron out any hiccups, and then continue to move strategically throughout the rest of the company.
To learn more about automating this process explore Transcend Data Mapping.
As GDPR Article 30 requires that ROPA include a full list of data and data categories being processed, the chart below outlines some of the data types companies should consider when creating their ROPA. companies should consider when creating their ROPA.
Data mapping and ROPA creation are complex processes.
Company data is distributed across connected cloud services and internal databasesâspanning structured and unstructured file types, documents, images, and mail.
Creating a unified view of the personal data processed by your organization across such disparate systems is challenging, to say the least.
Automated data mapping software provides significant benefits for organizations who deal in large quantities of personal data: better visibility, simplified compliance, and freed up resources.
Automated data mapping tools provide a live view of your companyâs data, enabling comprehensive visibility into any personal data being processed. When a service or third party vendor is added or changed, data mapping software automatically detects the update and populates that record into your map without manual intervention.
GDPR does not require companies to preemptively submit ROPA documentation. However, the records must be made available upon request. So, if up-to-date ROPA documentation is unavailable when a request comes, your organization may be held liable.
With data mapping software, your ROPA is always up-to-date, always available, and easy to export e.g. downloadable as a csvâreducing organizational risk and simplifying Article 30 compliance.
Data mapping software enables a centralized hub that keeps tabs on:
By minimizing the amount of manual work, data mapping software limits human error and frees up your teams to focus on core responsibilities.
From understanding your obligations as a data controller or processor, to including the right data in your ROPA, to ensuring your records are up-to-dateânavigating Article 30 requirements and ROPA creation can be complex.
However, with the right tools your organization can simplify these workflows, supporting better visibility, resource use, and long-term Article 30 compliance.
If your organization has been impacted by the Article 30 ROPA requirement, Transcend can help. UseTranscend Data Mapping to discover your companyâs data silos, classify personal data, and auto-generate reports â all in an easy-to-use, collaborative platform.
Power your companyâs regulatory compliance with actionable data governance suggestions based on your real-time data map. Transcend is the first and only data mapping tool that ensures the systems discovered in your data map are seamlessly included in user deletion, access or modification request workflows.
Senior Content Marketing Manager II