Let’s be honest — back in 2018, when the EU General Data Protection Regulation was enforced in Europe, most companies were in a rush to comply by the due date. There were many reasons for that, typical of significant changes in laws and regulation: difficulties to convince senior executives of the importance early enough, time necessary to size and scope a program and obtain a decent budget, lack of internal skills and knowledge, and lack of clarity on the requirements. In a nutshell, organizations were facing all the challenges intrinsic to implementing novel concepts.

One of the key EU GDPR requirements laid out in Article 30 was for data controllers to maintain records of all processing activities under their responsibilities. It lays down minimum details to record against each data process, which should be made available to the regulator on demand to help demonstrate compliance.

When I joined the banking industry in 2007 to work in operational risk, Basel II was in force for a few years already. This set of international regulations released by the Basel Committee on Banking Supervision establishes minimum capital requirements (pillar I), provides a framework for regulatory supervision (pillar II) and establishes disclosure requirements for assessing the capital adequacy of banks (pillar III). As part of the pillar I, banks are expected to maintain a map of operational risks they are exposed to. Financial institutions had created lengthy inventories of their operational risks and were struggling to maintain them and get trustworthy and action-driven management information from it. Today, non-financial risk and control maps are nowhere near what they were 15 years ago. It took years to enrich, connect, rationalize and embed sustainable governance before they became powerful frameworks indispensable to every financial institution.

Four years after GDPR enforcement, I notice many similarities between the early operational risk maps and RoPAs:

  • Both were driven only by regulatory requirements with little or no direct, perceived benefits to the organization, leading to disengagement from senior executives.
  • Both were approached as bottom-up exercises by consulting all teams in every area of the organization, leading to lengthy, too-detailed and inconsistent catalogues.
  • Both were undertaken by external consultants and/or leveraged upon automated discovery/legacy inventories, leading to a lack of accountability.
  • Both implementations required a lot of time and efforts, leading to fatigue and demotivation to maintain in business as usual.

Some organizations may have avoided some of these pitfalls. But regardless of the current state, today may be the right time to take a step back and reflect on the costs and benefits of your RoPA to optimize the ratio.

Maximizing benefits of the RoPA

Besides avoiding scrutiny and sanctions from the authorities, a good RoPA can bring significant benefits to the organization.

1. RoPA as an evidence of good privacy practices

If Article 30 is in GDPR, it is for a very good reason: The RoPA is evidence that you know what you are doing with all the personal data you process. Every material change, flaw or improvement in your personal data processing should be reflected in it. The more exhaustive and higher quality your RoPA is, the more likely you have sight or control of what is going on in your organization. And that’s the reason why RoPA is typically the first evidence a data protection authority asks when they visit an organization. Other internal stakeholders such as audit, compliance or risk management functions might also have an interest in consulting your RoPA for their reviews and investigations.

2. RoPA as a mean to target remediation activities

A good RoPA can be a very powerful tool to size and scope future remediation activities. As we see new privacy laws around the world such as Personal Information Protection Law in China, data transfer restrictions such as “Schrems II,” and new practices such as the end of third-party cookies, you will surely keep busy adapting your processes, tools and controls in the years to come. The more you know upfront of your personal data processing activities, the quicker you can react.

3. RoPA as an input for privacy processes

Pretty much all privacy requirements can be linked to and leveraged upon your RoPA.

For example:

  • What you say in your privacy notice should be a summary of your RoPA.
  • When you respond to a data access request, you could quickly identify the right source of information in your RoPA.
  • When you conduct an impact assessment on a preexisting process, instead of starting from scratch, you can reuse some of the intel already collected and assess only the incremental risk.

Conversely, by running these controls with your RoPA, you can enrich, challenge and enhance your RoPA.

4. RoPA as a risk management dashboard

If you add a risk component to your RoPA, you can also turn it into a very useful risk management tool, both from an operational control monitoring perspective and a senior executive perspective. In being able to classify, rate and/or rank your data processes and flows, you can:

  • Create key indicators to monitor your risks against thresholds: How big is your current consolidated exposure to the “Schrems II” ruling? How close is it to your tolerance of this risk?
  • Identify activities most exposed to a risk: Where should you target enhanced awareness and control monitoring activities?
  • Run risk scenarios to forecast the impact of a potential new law or simulate impact of an external event: What if China’s PIPL extended to Hong Kong? What if a third-party software was deemed unlawful (e.g., Google Analytics)?

5. RoPA as a business insight

You could also leverage data collected in your RoPA to change your senior executive perception of privacy and turn a constraint into a business opportunity or even a competitive advantage. RoPA can be a good starting point to reflect on your process efficiencies, customer experience, or brand and value positioning. For example, if you look at all processes relying on consents, are they collected and handled consistently and efficiently?

Minimizing costs of the RoPA

Building and maintaining a RoPA certainly has a cost, which will keep increasing as it becomes more sophisticated and beneficial to the organization. Aiming to contain the rise of these costs will enable your secure adequate resources and make it sustainable.

1. Keep it simple

In reducing the granularity of your RoPA, you will make it easier to navigate and maintain. Granularity will depend on the complexity of the business but also on the privacy risk exposure. It can even vary within the same organization — marketing practices may require a more detailed view than supply chain activities. Associated with a strong data model, it can enable you to create a rich and holistic view, area by area, without getting lost in the details.

2. Move to a more top-down approach

In standardizing input into your RoPA, you will facilitate consolidation, drive a common understanding of the concepts, and accelerate maintenance and review processes. Most of the fields in RoPA should be aligned to reference data and you should seek to create taxonomy for all your key privacy concepts.

3. Minimize manual input

In automating input and connecting your RoPA to other data sources, you will minimize efforts. Fully automating a RoPA is illusory, but technology can help you focus resources where there is a real value added in overseeing the changes, interpreting them and connecting the dots.

4. Empower the business

In assigning accountability where processes operate, you improve your RoPA’s quality and relevancy. It is worth investing in training and engaging with colleagues across the organization to make the RoPA a truly joined and rewarded effort.

5. Stay proportionate

In focusing your efforts where you are most exposed, you optimize your limited resources. It could be where processing is intrinsically high-risk, such as development of AI, where the environment is very dynamic or where the activity is critical for your business strategy. While the EU GDPR requires you to have a comprehensive record of your processing activities, it does not mean you need to collect the same level of details or apply the same standards of care to each and every activity.

Recommendations

Moving to a mature RoPA will take years and a lot of thinking and efforts. Here are a few tips to start in the right direction:

  • Articulate a vision of your “ideal” RoPA, commensurate to the size, complexity and strategy of your organization.
  • Assess the current costs/benefits ratio of your RoPA, looking at the content, tooling, processes and governance.
  • Start with quick wins and continue delivering incremental improvements in agile ways to progressively grow business engagement and secure executive sponsorship.

Building a useful and efficient RoPA is a long journey. In establishing a robust strategic roadmap today, you can reach maturity in only a few years’ time.

Photo by Beatriz Pérez Moya on Unsplash