Our Services

01. Data MANAGEMENT
  • A catch-all for everything Data Governance, Strategy, Quality, MDM, Architecture and more.

02. Data COMPLIANCE
  • All the support you need for compliance with the latest Data regulations (including GDPR).

03. Data EDUCATION
  • Training on data for everyone from Data Stewards to the Business Department and Senior Management.

04. AI Governance
  • From understanding how AI fits into your existing landscape to using its power to
    get the mundane work done in a compliant manner.

Lets Talk Data

Don’t worry. We won’t waste your time. Nor will we convince you to hand over the controls.

Schedule Discovery Call

blog

The 7-Step approach to save time with the Register of Processing Activities

By: John Walsh

March 29, 2021
RoPA

Creating and perfecting the Register of Processing Activities (RoPA) continues to be a challenge for most organizations. The process needs multiple iterations, it’s time-consuming and taxing on company resources.
What’s more? By the time the first version is defined, it is probably already out of date and not compliant with Data Protection regulation in your jurisdiction. At Data Trust Associates, we work with clients day-in-day-out to help them create and maintain a top-quality RoPA. Today, we are distilling our best-practices and winning approach in just 7 simple steps. We hope they’ll help you free up more time for meaningful activities.

Building your house so it lasts

PWe often compare the RoPA to building a house. The first one we build as a learning exercise, the second one is to correct the mistakes and… the third is built to last! If you want to build a RoPA that lasts, take into account the following:

  1. It cannot be created in silo mode such as by legal, business owner or IT Department but is a combined effort of all departments together
  2. Each processing activity needs to be part of the business process, you can’t cut corners!
  3. Realise that you probably already have 80% of the information to complete the RoPA. The problem you need to solve is that you cannot access
    or extract the details (for different reasons)
The CMMI as a roadmap to success

Most of us will be familiar with the Capability Maturity Model Integration (CMMI) as a way of depicting maturity across an organisation. Applying this model, we map the different levels as follows:

Level 1 Ad-Hoc Basic RoPa defined as a proof to authorities that something exists
Level 2 Identified Key elements are identified but may not be standardized
Level 3 Defined Key elements and reference data is linked to processes and data
Level 4 Managed End-2-End processes are implemented to support the RoPA updates
Level 5 Integrated Integration and automation of the RoPA creation and updates

Using this simplified model, we’d like to show how it can illustrate an incremental way of reaching a quality RoPA that will be understandable, reduce effort, increase reuse of existing data and automate 50% of the end-to-end process.

The 7-step approach to a fully-integrated and automated RoPa

Here are some of our own guidelines to optimize the route to Level 5:

  1. At the risk of overstating the obvious: Develop a clear vision and strategy to create and maintain a RoPA. Address questions like how it will
    be created and maintained, which tools to use, how to keep it in sync if multiple tools are used and how to streamline the work.
  2. Link a Processing Activity to an existing business process. While the business process may not be well defined, it is often on top-of-mind
    with those involved. And, while the Processing Activity is only a part of the overall process, it helps later to identify the owner and create awareness on
    the topic
  3. Identify the different data points and related reference data required in the RoPA. While some will be mandatory, others are very useful to
    have and depending on the organization
  4. Integrate your DPIA and RoPa processes. Reuse the same data points and reference data while completing your Data Protection Impact
    Assessments.
  5. Connect the DPIA process to the maintenance of the RoPA. So, once the DPIA is completed, this can automatically lead to the creation, update
    or removal of a RoPA entry.
  6. Integrate your technology landscape. You may have a data governance tool as a central system of record. This is used to centralise and manage
    information on data assets and the organization and is a key enabler to both complete and verify the RoPA contents.
  7. Link your RoPA effort with the overall data literacy program of your organization. Data Protection should not be a siloed effort but part of
    your overall ambition to create success with data in a compliant manner.
Focus on the core, outsource the rest

Want to free up time for more meaningful work?
Are you feeling overwhelmed by the workload?
Looking for a fit-and-forget solution that ensures and maintains top quality?

At Data Trust Associates, we have extensive experience in helping clients from different industries to execute and maintain top-quality RoPA’s. We’re happy to discuss and see how we can help.
Let’s have a virtual coffee