ROPA Process: Step-by-step guide
At a glance
Article 30 of the General Data Protection Regulation (GDPR) requires that all data controllers create and maintain detailed records of processing activities, otherwise known as ROPA.
Any company with 250 or more employees must complete the ROPA process, as required by GDPRÂ Article 30.
Regardless of size, a company must complete a ROPA when their data processing is “not occasional,” may threaten a data subject’s rights or freedoms, or is relevant to a criminal conviction or offense.
Using an automated data mapping platform to streamline the ROPA process is recommended. Manually maintaining an up-to-date record of all tools and systems that process data is difficult and time-consuming—often becoming unsustainable in the long term.
Table of contents
Introduction to the ROPA process
Records of processing activities (ROPA), a subset of data mapping, are required by Article 30 of the EU’s General Data Protection Regulation.
Complete ROPA must document a variety of information: data and data categories being processed, purposes of processing, and much more. Creating and maintaining these records can be a complex process.
In fact, 50% of companies will need over a year to discover all data systems and organize them into a unified data map.
Below we’ll define GDPR Article 30 and ROPA, walk through Article 30 requirements, explore the data that must be included in a ROPA, and consider why automating the process is so important for effective privacy compliance.
What is GDPR Article 30?
Article 30 of the General Data Protection Regulation (GDPR) requires that all data controllers create and maintain detailed records of processing activities (ROPA).
GDPR Article 30Â states that:
Data controllers must “maintain a record of processing activities under [their] responsibility.” (See the next section for more detail on what information a comprehensive ROPA should include.)
Data processors must “maintain a record of all categories of processing activities carried out on behalf of a controller.”
Each of the above records must be made available digitally and in writing.
ROPA records must be made available upon request.
Who does GDPR Article 30 apply to?
Maintaining ROPA is one of the few rules within the GDPR that offers an exemption, albeit a small one.
Only organizations with over 250 employees must provide ROPA documentation, while companies with fewer than 250 are exempt. That said, this exemption does not always apply (exemptions to an exemption!).
If a business’s data processing activities:
May threaten the freedoms or rights of the data subject
Pertain to a criminal conviction or offense, or
Are “not occasional”
Then the Article 30 ROPA requirement stands, even if a company employs fewer than 250 people.
That final point should catch your attention most. In this day and age, a company that’s processing personal data is likely doing so on more than an “occasional” basis.
Combine this with the fact that Article 30 offers no further clarification on what “not occasional” means, and there’s really only one good option—ere on the side of caution and complete compliance.
If your company processes personal data on a consistent basis and markets or sells products/services to citizens of the EU, strongly consider creating your own ROPA.
Against the backdrop of increasing enforcement and massive fines for GDPR violators, it can only help your business in the long run.
Additional resources
What is a record of processing activities (ROPA)?
ROPA stands for record of processing activities and is required by GDPR Article 30. Complete ROPA will document all data processing activities, as well as all categories of data processing activities.
For a data controller, GDPR Article 30 requires that ROPA include:
Documentation of data being processed
Documentation of the categories of data being processed
The data controller’s name and contact details
Purpose of processing i.e. why the data is being processed
Categories of any data recipients
Categories of data subjects and personal data
Documentation on personal data transfers to international entities or third countries
A time frame for data erasure
Information on data security measures
For a data processor, Article 30 applies many (though not all) of the same requirements. Data processor ROPA must include:
Documentation of data being processed on behalf of the controller
Documentation of the categories of data being processed on behalf of the controller
The data processor’s name and contact details
Documentation on personal data transfers to international entities or third countries
Information on data security measures
Vocab check - Data controllers decide how their organization will process personal data, therefore they are held to a higher standard in the eyes of the GDPR. Data processors, on the other hand, enact the decisions data controllers make. This means they are beholden to similar rules, but don’t hold the same responsibility.
How to complete the ROPA process manually
Using a data mapping tool is far and away the fastest, most efficient way to create an accurate ROPA report.
However, not all companies required to create ROPA have a data mapping platform already, so here’s the general process for manually creating and maintaining ROPA documentation:
Create a brief to share with leadership on the importance of complying with GDPR Article 30 (including data on potential penalties), and the steps your organization must take in order to create your ROPA report.
Set meetings with the head of each team within your company in order to begin defining and documenting data processing activities across the organization.
During or after your initial meeting, send each team lead an assessment requesting the specifics of each data system and relevant processing activities.
Collate your findings into a document that is available digitally and in writing.
Very important! Develop a process for continually updating and maintaining these records. To be compliant, a ROPA must include all systems and tools that engage in data processing–so if the marketing team gets a new email tool, you’ll need to know about it to ensure your ROPA is up-to-date.
If your organization is too large to enact a comprehensive data mapping protocol in one go, it can be helpful to start the process within a single unit. Test out the process with one team, iron out any hiccups, and then continue to move strategically throughout the rest of the company.
To learn more about automating this process explore Transcend Data Mapping.
Important ROPA data types
As GDPR Article 30 requires that ROPA include a full list of data and data categories being processed, the chart below outlines some of the data types companies should consider when creating their ROPA. companies should consider when creating their ROPA.
Data Category | Example |
Computer information | OS system |
Contact | Phone number |
Cookies and tracking elements | www.googleanalytics.qa |
Financial | Routing number |
Generic personal information | Name |
Personal identifier | User ID |
User online activities | Sites visited within a specific time frame |
Benefits of using data mapping software for ROPA creation
Data mapping and ROPA creation are complex processes.
Company data is distributed across connected cloud services and internal databases–spanning structured and unstructured file types, documents, images, and mail.
Creating a unified view of the personal data processed by your organization across such disparate systems is challenging, to say the least.
Automated data mapping software provides significant benefits for organizations who deal in large quantities of personal data: better visibility, simplified compliance, and freed up resources.
Unified visibility
Automated data mapping tools provide a live view of your company’s data, enabling comprehensive visibility into any personal data being processed. When a service or third party vendor is added or changed, data mapping software automatically detects the update and populates that record into your map without manual intervention.
Simplified compliance
GDPR does not require companies to preemptively submit ROPA documentation. However, the records must be made available upon request. So, if up-to-date ROPA documentation is unavailable when a request comes, your organization may be held liable.
With data mapping software, your ROPA is always up-to-date, always available, and easy to export e.g. downloadable as a csv–reducing organizational risk and simplifying Article 30 compliance.
Freed up resources
Data mapping software enables a centralized hub that keeps tabs on:
New systems added and the categories of personal data they contain
Owners and completion status for every data record
Database changes that may impact data flow
By minimizing the amount of manual work, data mapping software limits human error and frees up your teams to focus on core responsibilities.
Conclusion
From understanding your obligations as a data controller or processor, to including the right data in your ROPA, to ensuring your records are up-to-date–navigating Article 30 requirements and ROPA creation can be complex.
However, with the right tools your organization can simplify these workflows, supporting better visibility, resource use, and long-term Article 30 compliance.
About Transcend
If your organization has been impacted by the Article 30 ROPA requirement, Transcend can help. UseTranscend Data Mapping to discover your company’s data silos, classify personal data, and auto-generate reports – all in an easy-to-use, collaborative platform.
Power your company’s regulatory compliance with actionable data governance suggestions based on your real-time data map. Transcend is the first and only data mapping tool that ensures the systems discovered in your data map are seamlessly included in user deletion, access or modification request workflows.
Discover more articles