When you read the words GDPR Register of Processing Activities (ROPA), chances are high that for a lot of people the phrase ‘yet more bureaucratic admin’ comes to mind.
But, if you’re a data leader, data protection officer or privacy steward, you most probably do not think that way. What you might be thinking is:
- We do already have a register in place but is it up-to-date?
- How can we keep it up-to-date more efficiently?
- How can I update the register based on existing efforts across my organisation?
Fact is that most companies are lost on how to keep ROPA up-to-date. And, to add to our pains, it’s hard to re-ask the same people yet again to review and update the work they have done two years ago. How can we turn this around in an efficient manner?
Building up and maintaining a mature ROPA is a vital cog in your data protection and data governance machinery. Integrating the register into the overall data governance initiative as well as other GDPR initiatives such as performing Data Protection Impact Assessments (DPIAs) can be a first step in increasing efficiency and can also lead to maintaining the ROPA in a semi-automated way.
If your organisation is not supporting a well-managed ROPA initiative, the privacy team will also take far longer to complete Data Subject Access Requests, satisfy regulatory audits and respond to data breaches.
Clearly, there are organisational and even commercial benefits for taking what, for many, appears to be a seemingly administrative task, very seriously indeed.
The Case for a Register of Processing Activities: Administrative Burden or Data Protection Lifesaver?
Maintaining an accurate ROPA is seen by many as an administrative burden on top of an already busy workload.
If your current ROPA procedures are confusing, complicated, or poorly documented, it’s no surprise if your staff ‘drop the ball’ when it comes to its maintenance.
This lack of enthusiasm, understanding, and limited GDPR awareness, can soon result in an incomplete and out of date ROPA which is a severe non-compliance for which several organizations have already received sanctions under GDPR – by various data protection authorities.
Completing the ROPA is a risk assessment where you should be able to determine the technical and organizational measures – based on e.g. data classification, type of data subject, transfers outside of the EEA,… Having an extended ROPA in place, that is not only limited to the requirements as per GDPR article 30, is definitely an added value when defining the privacy risks in your processes. Knowing where your data is coming from, in which systems, applications or databases it resides, and how it flows within and outside of the organisation and how it’s used in different business contexts is key in this story.
What do we see happening in many organizations?
Your Data Protection Officer (or similar) soon becomes frustrated and begins documenting and updating the processing activities themselves.
Clearly, it is not the task nor responsibility of the DPO (or similar) to define and complete the register – on the contrary.
In small organizations the DPO (or similar) can potentially document the processing activities in the register, but only based upon the input he or she gets from the different privacy stewards and departments.
Your DPO should be focused on advisory tasks instead of department specific work that should be managed by the business.
How do you Create a ROPA Maintenance Schedule – the Business Will Want to Follow?
If you resonate with this situation, let’s explore some of the best practices:
1. Training and Change Management: Policies and procedures imposing the completion and updating of the register can be enforced through escalation to senior management to ensure they are being ‘pushed down’ across the organization.
While this can be a solution for some companies, it will not bring much awareness or enthusiasm to the departments that you want to target. This approach alone doesn’t often result in a sustainable solution.
A more effective way is to enforce policies and procedures by means of explaining staff the reasoning behind it and putting up positive incentives (after the training of employees) to engage staff.
2. Engagement: When engaging the business, do not merely provide them with a register in a table format without any extra details.
Instead, provide a questionnaire or survey with predefined answers and use these answers to complete your register. Completing a survey or questionnaire with pre-filled answers and sufficient information about the nature of the questions facilitates the completion with a great deal. Interviewing people is also an excellent way to fill the gaps and ask specific questions.
3. Ownership: Appoint for example a business analyst to work with existing data and information in your organization that’s currently available and can be used as input for your register. In most cases, this will provide you with a good quality register, which may even be sustainable, but only if the appointed person consistently updates the register and remains in this supporting role. Unfortunately, we often see departments who still don’t fully understand the process. Ultimately, the business needs to take ownership of maintaining the ROPA and spreading awareness. In essence, each department will take ownership for their processing activities, which means there is not just one ‘Owner’ completing the ROPA. It will be a responsibility for the entire organisation. Usually, we see a combination of key users and privacy stewards for each department taking up this responsibility.
4. Data Protection Tools: Data protection tools support you in managing the entire process for you and your organisation. Many tools allow you to integrate a clear and understandable questionnaire. These tools incorporate workflows that automatically send the questionnaire to the right departments and, once completed, have the answers automatically included in your register. Notifications will regularly remind departments to review the processing activity and suggest updates where needed. Please also note that mature tools can integrate with Business Process Management solutions, Data Governance solutions, Risk solutions and CMDB’s, which can automatically enrich your ROPA in order to maximize completeness, accuracy and timeliness of the register.
5. Automated Integration: Data Protection Impact Assessments (DPIAs) clearly play a crucial role in GDPR compliance. Integrating your register with the DPIA can lead to a win-win situation. DPIAs can be initiated upon certain (new) processing activities and, based on the outcome of a DPIA, the register can be automatically updated. On the other hand documented Processing Activities can be used as input to complete the DPIA. This DPIA automation decreases the resistance in the organisationas it helps maintain the register in an semi-automated and more time-effective way.
6. Data Governance: Well-governed data plays a pivotal role in this whole process. Defining reference data, data governance assets like “data classification, applications, data subject roles, transfers/location of data, technical and organisational measures”, clear ownership of assets, reusability of data and data lineage – all add to the delivery of an effective Register and GDPR compliance.
Ultimately it’s about choosing the right option for your organization.
But reviewing and adopting some of the best practices above is a great way to start managing your register in a far more sustainable manner.
Furthermore, senior management buy-in and regular communication will help a great deal, but be wary of forcing people to do something they do not understand.
With leadership support and a positive approach towards your organization, you can also increase GDPR awareness within your organization, ultimately increasing your ability to comply with GDPR.
Maintaining a Register of Processing Activities: The Organizational Advantages
Maintaining an accurate and extended Register of Processing Activities has a lot of organizational advantages.
In particular, it provides insights into the personal data you process such as:
- Where do you keep your data?
- Which systems are involved?
- What processing activities relate to specific data categories or data subject roles?
- What are the processing activities with cross border transfer?
- What are the safeguards and technical and organisational measures applied?
You will have the ability to categorize data across your organization, minimize the information security risks and deal with data transfer issues (cfr. Schrems II). All this information makes it easier for you to understand and identify which processing activities can be at risk.
For example, if we take a closer look at the Schrems II case; all processing activities with transfer of personal data between EU and US that rely on standard contractual clauses or Privacy Shield will have to be re-evaluated.
If your register is up to date and you have a mature data governance model supporting your register, it will allow you to identify the impacted processing activities in a matter of minutes – rather than having to do this manually which could take days or weeks. (For some more details on this, check out the following video: https://lnkd.in/gmkzKrr)
Creating and maintaining a mature ROPA also helps when receiving a Data Subject Access Request (DSAR) from e.g. a customer or employee whose personal data you are processing. It will be easier to find the requested data as you know in which processes and systems the data is stored.
And of course, your cyber or data breach response teams will also know who to contact, which systems to investigate, and which data to analyse, in the event of a data breach. They will definitely appreciate having a team and an up-to-date register in place that will help them to understand the data.
Finally, we can’t overstate the importance of following GDPR guidelines that mandate the need for a robust, transparent and auditable ROPA. When the regulator pays a visit, you need to be confident you are adhering to the GDPR requirement for maintaining accurate records of your processing activities.
Want to Learn How to Create Your Own Highly Performant Register of Processing Activities?
At Data Trust Associates, we have extensive experience of helping our clients implement and optimize a fully integrated and semi-automated ROPA that complies with the requirements of GDPR – and allows you to reuse the register for operational, compliance and analytical needs in your organization.
We blend the next generation of data governance and compliance methodologies and technology with deep industry experience and understanding of data privacy and protection policy.
If you want to know more about how to keep the GDPR Register up to date in an efficient manner in your organization, please request a discovery call: