Most data protection laws either require formal records of processing activities or have notice and/or privacy impact assessment requirements that, in a way, induce businesses to create one to comply. The need to maintain a comprehensive ROPA increases with the business' size and complexity of its processing activities.
There are a few tips and tricks that may help to create a document that is both useful and, hopefully, stands the test of time.
Before you start building a ROPA
Before starting the ROPA process, evaluate your resources. Are you able to use a tool — one off-the-shelf or built in-house — or will this be maintained in an Excel spreadsheet? In answering these questions, consider your business privacy risk profile and do a cost/benefit analysis. Who will manage the ROPA going forward and how?
Like any good architect, you will need to ensure you have a good grasp of your organization, including how and where it operates to build a document that is fit for your business and purpose. Build a ROPA that will stand the test of time by making it user-friendly and easy to maintain. If your ROPA is too granular and business entries cannot be updated efficiently or correctly, you will easily have thousands if not hundreds of thousands of entries. This is likely not sustainable, compliant or useful.
Above all, ensure you have appropriate backing of business leadership, which will set a top-down tone on the importance of privacy.
Building the ROPA
- Leverage existing processes to capture processing activities systematically. Mature organizations usually have well-developed vendor assurance programs and IT change management processes. Whether personal data is involved should be assessed, and if so, the business should be directed to enter a new processing activity or update an existing one.
- Create a standard naming convention for ROPA and other entries, including data protection impact assessments and transfer impact assessments. This will make it easier for the business to update entries instead of creating new ones.
- For each department, create ready-to-use purpose of processing responses, with options to insert "other" as a catch all category and allow further explanations. This is usually the hardest part for a lay person to articulate. As you build your ROPA you can then start to see patterns for processing activities and adjust the ROPA purpose of processing categories accordingly.
- To the extent possible, create ready to use categories — like data subjects, third parties, internal parties and data elements — that are easily understood so the business may cohesively and accurately enter their processing activity. Adjust these categories as you build your ROPA to align with the reality of your business more closely. A tightly controlled taxonomy of privacy terms will help you create and maintain a useful document.
- Use your ROPA to populate your data map. Ideally, integrating your ROPA to other systems, for example, procurement and digital assets, helps build a more holistic view. Having a good understanding of where your data resides, systems and parties that have access to it, and vendors associated with each processing activity will help a business better prepare for the ever-changing privacy landscape. A solid data map will help answer questions regarding TIAs, sale of personal data, and quickly identify sources of information to respond to an access request. More importantly, if you intend to use artificial intelligence, it will be useful to know what data AI access has to so you may prepare accordingly.
- Ensure your ROPA not only meets requirements of the EU General Data Protection Regulation's Article 30 but is a useful document for drafting privacy notices in the jurisdictions where your business operates. As jurisdictions around the world pass new data protection laws or strengthen existing ones, it is important to build a ROPA that allows compliance with multiple standards.
- Create checkpoints in the ROPA regarding your vendor data protection agreements, international data transfer mechanisms, consent mechanisms and any associated digital security controls which will allow you to better understand your risks, mitigate them and/or accept them, depending on business risk tolerance.
- Have clear roles and responsibilities within the business to create and update ROPA entries. If a processing activity has privacy risks, adequately relay those to the business owner, who in turn mitigates or accepts them. Document the process.
- If you're using a tool, create rules in the document to trigger tasks for high-risk processing activities. Cast the net wide so it may include all processes that applicable jurisdictions consider high risk. Depending on how your privacy office is set up and who enters or reviews ROPA entries, it is good to have a baseline of automation that triggers DPIA tasks. The privacy officers can then decide whether to conduct DPIAs. Similarly, you can build rules in the ROPA that will trigger automated TIA tasks. Again, the privacy officer upon closer examination will decide whether to conduct a TIA. They will also instruct the business if the vendor contract will need a transfer mechanism, such as standard contractual clauses, and any supplementary measures.
- For businesses operating in jurisdictions with Works Councils — which may have the right to be informed, consulted or to approve — it is advisable to create automated tasks to ensure applicable processing activities are reviewed and put through the appropriate channels for council's review or approval.
- If you're using automated tools, ensure your ROPA information is transferred to the TIAs, and/or DPIAs so the same information doesn't have to be entered repeatedly. You'll quickly lose the business if the process is overly cumbersome and laborious.
- Populate legal entity information with the data protection officer's name, the supervisory authority with which the DPO is registered, whether the intragroup data transfer agreement is signed and whether the legal entity is registered with the applicable data protection authority. Keeping this information readily available and up to date is especially important for businesses with an appetite for mergers and acquisitions.
After building your ROPA
And now the good news. Once your ROPA and various assessments are sufficiently populated you may use the data to substantively inform leadership on the privacy health of the business, including risks and data management efficiencies and inefficiencies.
A mature ROPA will help you draft privacy notices and respond to access requests relatively easily, thus creating both efficiency and compliance. Furthermore, you can prepare for upcoming changes in the law or court decisions in particular areas where your business may be exposed by calculating risks or planning for appropriate mitigations.
Building the ROPA is only the first step. You need to foster a good working relationship across the business to ensure there is a robust process for populating, updating and adjusting the document, as needed. You may need to actively train privacy and other staff on how to populate and maintain the ROPA. This process may take years to become part of a business's culture.
Wherever your business may be in the privacy journey, it is important to accept that 100% compliance is difficult, if not impossible, to achieve. GDPR and other laws like it take a risk-based approach. As such, it is important to focus on high-risk areas for your business — be that children's data, use of AI, use of biometric data, direct marketing, or sale of personal data, for example. Build a robust ROPA with proportionate resources and processes that fit your business privacy risk profile.