News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Record of processing activities — Are you ready for maturity? Related reading: Privacy and security for big data processing in the financial sector

rss_feed

""

""

Let’s be honest — back in 2018, when the EU General Data Protection Regulation was enforced in Europe, most companies were in a rush to comply by the due date. There were many reasons for that, typical of significant changes in laws and regulation: difficulties to convince senior executives of the importance early enough, time necessary to size and scope a program and obtain a decent budget, lack of internal skills and knowledge, and lack of clarity on the requirements. In a nutshell, organizations were facing all the challenges intrinsic to implementing novel concepts.

One of the key EU GDPR requirements laid out in Article 30 was for data controllers to maintain records of all processing activities under their responsibilities. It lays down minimum details to record against each data process, which should be made available to the regulator on demand to help demonstrate compliance.

When I joined the banking industry in 2007 to work in operational risk, Basel II was in force for a few years already. This set of international regulations released by the Basel Committee on Banking Supervision establishes minimum capital requirements (pillar I), provides a framework for regulatory supervision (pillar II) and establishes disclosure requirements for assessing the capital adequacy of banks (pillar III). As part of the pillar I, banks are expected to maintain a map of operational risks they are exposed to. Financial institutions had created lengthy inventories of their operational risks and were struggling to maintain them and get trustworthy and action-driven management information from it. Today, non-financial risk and control maps are nowhere near what they were 15 years ago. It took years to enrich, connect, rationalize and embed sustainable governance before they became powerful frameworks indispensable to every financial institution.

Four years after GDPR enforcement, I notice many similarities between the early operational risk maps and RoPAs:

  • Both were driven only by regulatory requirements with little or no direct, perceived benefits to the organization, leading to disengagement from senior executives.
  • Both were approached as bottom-up exercises by consulting all teams in every area of the organization, leading to lengthy, too-detailed and inconsistent catalogues.
  • Both were undertaken by external consultants and/or leveraged upon automated discovery/legacy inventories, leading to a lack of accountability.
  • Both implementations required a lot of time and efforts, leading to fatigue and demotivation to maintain in business as usual.

Some organizations may have avoided some of these pitfalls. But regardless of the current state, today may be the right time to take a step back and reflect on the costs and benefits of your RoPA to optimize the ratio.

Maximizing benefits of the RoPA

Besides avoiding scrutiny and sanctions from the authorities, a good RoPA can bring significant benefits to the organization.

1. RoPA as an evidence of good privacy practices

If Article 30 is in GDPR, it is for a very good reason: The RoPA is evidence that you know what you are doing with all the personal data you process. Every material change, flaw or improvement in your personal data processing should be reflected in it. The more exhaustive and higher quality your RoPA is, the more likely you have sight or control of what is going on in your organization. And that’s the reason why RoPA is typically the first evidence a data protection authority asks when they visit an organization. Other internal stakeholders such as audit, compliance or risk management functions might also have an interest in consulting your RoPA for their reviews and investigations.

2. RoPA as a mean to target remediation activities

A good RoPA can be a very powerful tool to size and scope future remediation activities. As we see new privacy laws around the world such as Personal Information Protection Law in China, data transfer restrictions such as “Schrems II,” and new practices such as the end of third-party cookies, you will surely keep busy adapting your processes, tools and controls in the years to come. The more you know upfront of your personal data processing activities, the quicker you can react.

3. RoPA as an input for privacy processes

Pretty much all privacy requirements can be linked to and leveraged upon your RoPA.

For example:

  • What you say in your privacy notice should be a summary of your RoPA.
  • When you respond to a data access request, you could quickly identify the right source of information in your RoPA.
  • When you conduct an impact assessment on a preexisting process, instead of starting from scratch, you can reuse some of the intel already collected and assess only the incremental risk.

Conversely, by running these controls with your RoPA, you can enrich, challenge and enhance your RoPA.

4. RoPA as a risk management dashboard

If you add a risk component to your RoPA, you can also turn it into a very useful risk management tool, both from an operational control monitoring perspective and a senior executive perspective. In being able to classify, rate and/or rank your data processes and flows, you can:

  • Create key indicators to monitor your risks against thresholds: How big is your current consolidated exposure to the “Schrems II” ruling? How close is it to your tolerance of this risk?
  • Identify activities most exposed to a risk: Where should you target enhanced awareness and control monitoring activities?
  • Run risk scenarios to forecast the impact of a potential new law or simulate impact of an external event: What if China’s PIPL extended to Hong Kong? What if a third-party software was deemed unlawful (e.g., Google Analytics)?

5. RoPA as a business insight

You could also leverage data collected in your RoPA to change your senior executive perception of privacy and turn a constraint into a business opportunity or even a competitive advantage. RoPA can be a good starting point to reflect on your process efficiencies, customer experience, or brand and value positioning. For example, if you look at all processes relying on consents, are they collected and handled consistently and efficiently?

Minimizing costs of the RoPA

Building and maintaining a RoPA certainly has a cost, which will keep increasing as it becomes more sophisticated and beneficial to the organization. Aiming to contain the rise of these costs will enable your secure adequate resources and make it sustainable.

1. Keep it simple

In reducing the granularity of your RoPA, you will make it easier to navigate and maintain. Granularity will depend on the complexity of the business but also on the privacy risk exposure. It can even vary within the same organization — marketing practices may require a more detailed view than supply chain activities. Associated with a strong data model, it can enable you to create a rich and holistic view, area by area, without getting lost in the details.

2. Move to a more top-down approach

In standardizing input into your RoPA, you will facilitate consolidation, drive a common understanding of the concepts, and accelerate maintenance and review processes. Most of the fields in RoPA should be aligned to reference data and you should seek to create taxonomy for all your key privacy concepts.

3. Minimize manual input

In automating input and connecting your RoPA to other data sources, you will minimize efforts. Fully automating a RoPA is illusory, but technology can help you focus resources where there is a real value added in overseeing the changes, interpreting them and connecting the dots.

4. Empower the business

In assigning accountability where processes operate, you improve your RoPA’s quality and relevancy. It is worth investing in training and engaging with colleagues across the organization to make the RoPA a truly joined and rewarded effort.

5. Stay proportionate

In focusing your efforts where you are most exposed, you optimize your limited resources. It could be where processing is intrinsically high-risk, such as development of AI, where the environment is very dynamic or where the activity is critical for your business strategy. While the EU GDPR requires you to have a comprehensive record of your processing activities, it does not mean you need to collect the same level of details or apply the same standards of care to each and every activity.

Recommendations

Moving to a mature RoPA will take years and a lot of thinking and efforts. Here are a few tips to start in the right direction:

  • Articulate a vision of your “ideal” RoPA, commensurate to the size, complexity and strategy of your organization.
  • Assess the current costs/benefits ratio of your RoPA, looking at the content, tooling, processes and governance.
  • Start with quick wins and continue delivering incremental improvements in agile ways to progressively grow business engagement and secure executive sponsorship.

Building a useful and efficient RoPA is a long journey. In establishing a robust strategic roadmap today, you can reach maturity in only a few years’ time.

Photo by Beatriz Pérez Moya on Unsplash


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Author
Headshot Elodie Pierloot, CIPP/E, CIPM, FIP IAPP Member Contributor
Tags
Privacy Operations Management
Security Operations Management
Comments

If you want to comment on this post, you need to login.

Related Stories
Related Stories
Tags
Privacy Operations Management
Security Operations Management
Recent Comments