The EU General Data Protection Regulation is one of the first privacy laws to impact businesses on a global scale because of its extraterritorial reach to any organization that processes data of EU residents. Among the range of compliance obligations that the GDPR requires of businesses is the major undertaking of creating and maintaining organization-spanning records of processing activities. Whether the GDPR applies to you, the benefits of implementing a ROPA program in your organization are far-reaching and undeniable.

What is a ROPA?

If you do a quick internet search on “What is a ROPA?” or “How should I create and maintain a ROPA?” you will find an unending number of articles available to assist you in building a ROPA questionnaire, and, for that matter, offering you templates for recording this data. However, a quick review will show many of these articles focus on regurgitating the law instead of understanding its practical implications of it — and many of their suggestions do not scale for complex global organizations.

So, what is a ROPA? Simply put, Article 30 of the GDPR requires businesses within their scope to create a comprehensive overview of the company’s personal data-processing activities, which must be made available to your supervisory authority when asked. This comprehensive document is a ROPA. While the GDPR has a precise definition of ROPA, it has evolved into a commonly used term of art for tracking and recording personal data cycles.

What is in a ROPA?

While Article 30 of the GDPR enumerates the record points for organizations within its scope, organizations not subject to the GDPR may choose to record somewhat different data points. Even if the purpose of your ROPAs is not to comply with GDPR, the Article 30 requirements provide excellent guidance for developing your ROPA data points.

In general, a ROPA questionnaire will ask these broad questions:

• Why do you process personal data?
• Whose data do you process?
• What kinds of or categories of data do you process?
• With whom do you share this data?
• How long do you store the data/when do you delete this data?
• What measures do you use to protect this data?

The GDPR instructs companies to record the sequence personal information travels within or outside of your company, along with the “legal basis” (Article 6 of the GDPR) to collect, use and disclose this personal information.

Being honest and transparent about how you deal with personal information helps both the supervisory authorities and yourself understand how personal information flows in your company — what steps you have undertaken to protect it and how you can use this data to improve your business.

The benefits of having ROPAs

ROPAs give a direct view of the front line

Companies use all sorts of key performance metrics to analyze their behavior and strategize on their future activities and business plans. They invest extensively in marketing specialists, strategists, etcetera, and it can take them weeks (and even months) to locate the petty issues. 

A ROPA exercise that is appropriately conducted can significantly streamline and reduce these disjointed efforts and is a ready replacement for the numerous strategic initiatives taken up by any organization. It is a reliable path toward resolving the issues that cannot be flagged unless teams have clarity into each other’s functions and responsibilities.

Relationship to the privacy notice

All organizations are expected to declare in their privacy notice the purposes they will use and share personal information. But there is often a discrepancy between what they say and what they are doing. ROPAs create transparency among teams and give the authors of the privacy notice a great deal of insight into the company's data life cycle and its actual business processes.

Taking informed risks

Expecting 100% compliance with evolving privacy regulations is farfetched, just as a mature information security program cannot entirely eliminate the possibility of a breach. Combine that with difficulty in showing the return on investment of preventing something bad from happening. It can sometimes seem that you are just throwing away your company's money on compliance initiatives. However, when you look at a ROPA project as a tool to gain important insights into the data your company holds and how you use it, you can better understand that the full value from this activity goes far beyond simple compliance.

A clear and documented understanding of a company's data provides executives with crucial information on actual risks, allowing them to make informed decisions on those risks they are willing to accept and those they are not.

Establishing a data elements taxonomy

A data elements taxonomy is a unified view of the types of personal data your company processes. Though there is no direct obligation under the GDPR on companies to create this taxonomy, it provides myriad benefits. It establishes a common language for all business units and systems to use when talking about data. It gives a fundamental understanding of the data you collect and uses and reduces your effort during a data subject access retrieval. It also provides a mechanism for examining what you are doing with certain elements.

When you conform different business units using the same data elements for other purposes, it organically leads to a focus on the “why.” Further, these recorded data elements provide a standardized structure for risk reporting to management. Ultimately, this taxonomy forms the foundation for the ROPA by answering the broadest question of all: “What kinds of data do you process?” The lack of a taxonomy often leads to confusion when attempting to apply data classification requirements. A lack of a nuanced understanding of what “personal information” means across multiple jurisdictions can lead to misapplied or missing controls.

Complying with current and future laws

Unlike the GDPR, the California Consumer Privacy Act does not explicitly require organizations to maintain ROPAs. But the CCPA does require organizations to show how they use personal data. Practically speaking, it is difficult to comply with the CCPA without conducting a ROPA-type exercise. Additionally, most new and evolving privacy laws have similar obligations. Having your ROPAs ready gives you a leg up on any work you may need to do to comply with new requirements. Building and maintaining your company’s ROPAs is a necessary foundation for satisfying all existing and anticipated privacy regulations.

Creating a privacy-aware culture

An organization that understands how personal information is used, can be used or should be used can widely support all its strategic initiatives and derive maximum benefits from the personal information that it holds. Companies that have a well understood and communicated “purpose” are generally more successful because this “north star” keeps business units in harmony as they go about their various missions; ROPAs do the same for the use of personal information. Additionally, a ROPA is an integral vehicle for making executives aware of the organization’s data usage activities and decisions. They can be instrumental in balancing your needs with your customers’ expectations.

Performing a ROPA exercise and maintaining this understanding over time is essential for strategic, ethical and legal considerations. No matter your organization’s size or regulatory obligations, well-conducted and maintained ROPAs create an organized view of your business, preparing you for any privacy-related surprises you may be exposed to. 

Photo by Sharon McCutcheon on Unsplash