Creating and perfecting the Register of Processing Activities (RoPA) continues to be a challenge for most organizations. The process needs multiple iterations, it’s time-consuming and taxing on company resources.
What’s more? By the time the first version is defined, it is probably already out of date and not compliant with Data Protection regulation in your jurisdiction.
At Data Trust Associates, we work with clients day-in-day-out to help them create and maintain a top-quality RoPA. Today, we are distilling our best-practices and winning approach in just 7 simple steps.
We hope they’ll help you free up more time for meaningful activities.
Building your house so it lasts
We often compare the RoPA to building a house. The first one we build as a learning exercise, the second one is to correct the mistakes and… the third is built to last!
If you want to build a RoPA that lasts, take into account the following:
- It cannot be created in silo mode such as by legal, business owner or IT Department but is a combined effort of all departments together
- Each processing activity needs to be part of the business process, you can’t cut corners!
- Realise that you probably already have 80% of the information to complete the RoPA. The problem you need to solve is that you cannot access or extract the details (for different reasons)
The CMMI as a roadmap to success
Most of us will be familiar with the Capability Maturity Model Integration (CMMI) as a way of depicting maturity across an organisation. Applying this model, we map the different levels as follows:
Level 1 Ad-Hoc Basic RoPa defined as a proof to authorities that something exists
Level 2 Identified Key elements are identified but may not be standardized
Level 3 Defined Key elements and reference data is linked to processes and data
Level 4 Managed End-2-End processes are implemented to support the RoPA updates
Level 5 Integrated Integration and automation of the RoPA creation and updates
Using this simplified model, we’d like to show how it can illustrate an incremental way of reaching a quality RoPA that will be understandable, reduce effort, increase reuse of existing data and automate 50% of the end-to-end process.
The 7-step approach to a fully-integrated and automated RoPa
Here are some of our own guidelines to optimize the route to Level 5:
- At the risk of overstating the obvious: Develop a clear vision and strategy to create and maintain a RoPA. Address questions like how it will be created and maintained, which tools to use, how to keep it in sync if multiple tools are used and how to streamline the work.
- Link a Processing Activity to an existing business process. While the business process may not be well defined, it is often on top-of-mind with those involved. And, while the Processing Activity is only a part of the overall process, it helps later to identify the owner and create awareness on the topic.
- Identify the different data points and related reference data required in the RoPA. While some will be mandatory, others are very useful to have and depending on the organization
- Integrate your DPIA and RoPa processes. Reuse the same data points and reference data while completing your Data Protection Impact Assessments.
- Connect the DPIA process to the maintenance of the RoPA. So, once the DPIA is completed, this can automatically lead to the creation, update or removal of a RoPA entry.
- Integrate your technology landscape. You may have a data governance tool as a central system of record. This is used to centralise and manage information on data assets and the organization and is a key enabler to both complete and verify the RoPA contents.
- Link your RoPA effort with the overall data literacy program of your organization. Data Protection should not be a siloed effort but part of your overall ambition to create success with data in a compliant manner.
Focus on the core, outsource the rest
Want to free up time for more meaningful work?
Are you feeling overwhelmed by the workload?
Looking for a fit-and-forget solution that ensures and maintains top quality?
At Data Trust Associates, we have extensive experience in helping clients from different industries to execute and maintain top-quality RoPA’s. We’re happy to discuss and see how we can help.