The Record of Processing Activities serves to enable an organisation to have a clear picture, internally, of processing activities as well as providing evidence to authorities as how to data is being used.
Generally, a RoPA applies only to organisations employing 250 employees or more UNLESS:
- the processing being undertaken is like to result in risk to the rights and freedoms of data subjects or;
- the processing is not occasional - in which case, smaller companies where this applies are under obligation to maintain one.
A RoPA is necessary where special categories of data (listed in Article 9 (1)) or data relating to criminal offences and convictions (Article 10).
The information that a RoPA should contain differs for controllers and processors.
RoPA for the CONTROLLER:
Name and contact number of the controller;
The purpose of processing:
A description of the categories of data subjects;
A descriptions of the categories of data being processed;
The recipients to whom the personal data will be disclosed;
Details of transfers data to a third country or international organisation, if applicable and details of transfer safeguards in place;
Envisaged time limits that data will be kept;
A general description of the technical security measures undertaken by the organisation to protect data.
RoPA for the PROCESSOR:
Name and contact number of the processor(s);
The categories of processing carried out on behalf of the controllers (s);
Details of transfers data to a third country or international organisation, if applicable and details of transfer safeguards in place;
A general description of the technical security measures undertaken by the organisation to protect data.
Creating a RoPA is the important first step, however, work should be ongoing on this in that each time a new category of data is being processed or data is being processed for a different reason, this information will need to be added. In essence, the document, in whatever forms your organisation decides to keep it, should be update whenever there is any kind of change to processing activities. There is no format specified on how to complete the ROPA although authorities throughout the EU have released their own preferred version, along with accompanying notes on best practice.
The GDPR stipulates that the RoPA should be made in writing (includes electronic form) and be made available to the Supervisory Authority upon request. The idea being that the keeping of records offers transparency of processing operations to both the SA and data subjects.
