So why should you spend time on your business’s RoPA (and what is it) – why is it useful for you?
Introduction to your Record of Processing Activity
Your Record of Processing Activity (RoPA) is nothing more than a list of each type of personal data you handle with a set of explanatory details that show the what, when, why, where and how your business handles it… OK, that’s a major simplification but, with the right template, you will easily get into the swing of recording the essentials.
Why wouldn’t you keep track of a business asset (that you hold in trust)?
Think about the personal data in terms of an asset where you have a stock that grows and changes over time. Then you understand why you need to keep an inventory of it. Hence, it is your business’s Data Inventory. You can call it whatever makes the most sense to you and anyone who works with you.
When is a legal requirement?
There are certain cases where you are obliged to create a Record of Processing Activity. It is an absolute requirement of the UK GDPR stated in Article 30 and in Part 4 of the Data Protection Act 2018 if one or more of the following applies:
- Your business has 250 or more employees
- the processing you carry out is likely to result in a risk to the rights and freedoms of data subjects; or
- the processing is not occasional; or
- the processing includes special categories of data; or
- the processing includes personal data relating to criminal convictions and offences.
But this article is about why it’s an excellent idea to create (and maintain) such a record even if none of the above apply to your business.
3 main reasons for creating and maintaining your Record of Processing Activity
- You will know what you have and where it is as a minimum. It will highlight potential risk areas and could save big problems e.g., a breach further down the line.
- You have evidence of your efforts towards compliance in the event of a complaint or audit.
- You need a lot of the information in it to include in your Privacy Notice (2 birds one stone).
These are the Basics you should include:
- Where the data is collected from e.g. a subscription or contact form on your website
- The category of the data subject – these are the people whose data you handle
- Personal data being processed – the type of data e.g., email address
- The Purpose for which you collect it
- The lawful basis for processing – it’s not legally required to be in your RoPA but it’s helpful for your Privacy Notice
- If you handle any Special Category data – this is a UK requirement and you must note why you collect SC data
- Where the data is held/stored
- The volume of data – this isn’t a legal requirement but it’s helpful for you when considering the risk of handling it
- The data retention period – how long you keep it
- The name of any third parties to whom data is transferred
- The country any third parties are located in, if not the UK
- If they are outside of the UK, which appropriate safeguard for transfer of data is used e.g., Standard Contractual Clauses for Controller to Controller/Controller to Processor relationships. By the way, SCCs are currently being rewritten in the UK and new ones will also be released in the EU.
- The security measures that are in place e.g., encryption, passwords, etc.,
How long does it take to prepare your RoPA?
Obviously, it depends on you and your business, but it will take time to complete for most businesses. When you’ve put together what you know, you can continue adding to it as you think of things or as things change.
Completing it a bit at a time e.g., purpose by purpose – you could start with your email subscriptions and go from there! Make sure you regularly review and update it – I also recommend having a reminder each month to take a look and note anything that’s changed. It’s so much easier than trying to remember what happened 12 months ago. For me that’s being kind – I actually update mine whenever I change or add anything because I know I won’t remember when the next reminder comes out (sigh).
It is your data protection keystone and a document the ICO will ask to see, should a complaint be received or (heaven forbid) you have a breach that must be reported to the ICO.
The upside of all of this is it will make everything else to do with data protection and GDPR so much easier to deal with!
TIP: If you are more of a visual person, you could try Data Flow Mapping, which works alongside your Record of Processing Activity. This is simply a graphical way of showing what data goes where. Think of a flow chart-type design showing a process e.g., when someone signs up for a newsletter. If you struggle with adding all the types of data, etc., for one of your processes, putting together a data flow map may help you. If you need help with this, let me know.
Information gathering to prepare your Record of Data processing
Depending on how your business is set up, you may want to separate the record of processing into functions or departments e.g., Sales, HR, etc. If this is the case, the advantage is you are likely to have staff/team members who deal with that particular function, and they will be the best people to complete that section of the RoPA.
For most owner-run businesses, you will be handling pretty much everything or will be heavily involved in every part even if you, for example, have a bookkeeper/accountant or someone who does your social media, etc. In this (our) case, starting with where you gather or collect the data will be the most logical place to start.
Is there a required format?
No, not at all. You can use a spreadsheet (my preference and the format of the ICO’s templates) or a simple table in your word processing app. You are the person who needs to use it so make it work for you!
I have created a Record of Processing Activity template on Microsoft Excel (surprise!), which includes the necessary heading to record the information you’ll need. I’ve tailored it to fit small owner-operated businesses and included dropdown lists for all of the category headings that I could to make it easier still.
This template forms part of my Jargon-free GDPR Essentials. I will be releasing the first 4 modules in the next couple of weeks. Keep a watch for this and, if you haven’t already joined my Jargon-free GDPR Facebook group, do that now as that will be the first place the details will appear. N.B. My next workshop will be covering these 4 modules and how they work together to get key structures (easily) into place!