The Irish data protection authority, the Data Protection Commission (DPC), conducted a sweep late last year of organisations’ data protection records. According to the DPC, the majority of those examined failed to maintain appropriate records. As a result, these records were deemed as non-compliant, exposing those responsible for GDPR violations.
Article 30 GDPR requires both controllers and processors to maintain a ‘Record of Processing Activities’ (RoPA). Despite the RoPA being an essential document for evidencing GDPR compliance, there is no industry standard for RoPAs. In addition, the GDPR does not prescribe – beyond high-level principles – its contents. There is also little guidance available from European regulators on best practice. As a result, up until now, organisations were left in the dark on RoPA best practice.
However, this is no longer the case. The DPC recently published guidance (Guidance) on foot of their industry sweep which provides real, practical, and valuable advice to organisations when preparing their RoPA. Organisations are now well equipped to amend their RoPA’s so that they are fit for purpose and effectively evidence the organisations GDPR compliance. Further, the Guidance serves as a practical tool, explicitly setting out what must be contained in an RoPA for both controllers and processors, as well as offering constructive advice on what organisations should ‘do’ and what they should avoid when completing and maintaining their RoPA.
We explain the key takeaways from this key Guidance below.
Overall, the DPC was critical of how the information was recorded and presented in the RoPAs surveyed. The DPC now expects RoPAs to function as a standalone document rather than a document that refers out to, and co-exists alongside, an organisation’s other policy documents.
It is also now expected that organisations have their RoPA ‘ready to go’ at any time, and in any event, within 10 days’ notice.
What is mandatorily required?
- Article 30(1) requires controllers or their representative to maintain an accurate record of the processing activities they undertake.
- Article 30(2) requires processors or their representative to maintain an accurate record of the processing activities they engage in on behalf of controller(s).
- Article 30(3) requires this record to be ‘in writing, including in electronic form’.
The RoPA must contain all of the following:
To be included in the controller record:
To be included in the processor record:
Name and contact details of:
Do’s and Don’ts
The DPC has helpfully set out several practical tips that organisations should take into account when structuring their RoPA.
- Be detailed, breaking down each different business function, e.g. HR, finance, etc.
- Conduct a data mapping exercise with input from several business functions, to identify exactly what data is held and where.
- Include granular information. For example, retention periods will likely differ depending on the data category, the RoPA should reflect the different retention periods for each specific category.
- Include extra information, if helpful, but clearly label which information is mandatory and which is ‘extra’.
- Information should be easy to find.
- The RoPA should be continuously updated.
- Redundant processing should be struck off or removed from the RoPA. Where they are struck off, an obsolete processing record should be maintained.
- Be mindful that supervisory authorities are external readers. Therefore, the RoPA should be comprehensible for all readers.
- The RoPA should not be difficult to produce. It should be ‘ready to go’ at any time, and, in any event, on 10 days’ notice.
- Templates or samples are not sufficient. The actual RoPA should be provided when requested.
- RoPAs should not refer to out of date material e.g. the Privacy Shield.
- ‘Personal data’ or ‘personally identifiable information’ is not sufficient. Descriptions of what information is collected requires further detail.
- ‘Technical and organisational security measures’ or ‘appropriate security’ are not appropriate answers when describing the technical and organisational measures in place.
- Documents should not be hyperlinked as responses to questions. The RoPA should be a standalone, exhaustive document.
- Organisations should not state things like; ‘in accordance with the retention policy’ or ‘solicitors’ retention schedule’ but then not elaborate.
RoPAs for smaller organisations
Article 30(5) GDPR provides an exemption to Articles 30(1) – (4) being applicable, where an organisation employs fewer than 250 staff. However, this exemption is not applicable where the processing:
- Is likely to result in a risk, not just a high risk, to the rights and freedoms of data subjects. For example, processing of mortgage applications, use of AI, and tracking one’s location
- Is not occasional, e.g., payroll or HR, and/or
- Involves special categories of data or data relating to criminal convictions, such as processing for Garda vetting purposes, trade union membership or biometric data processing
Smaller organisations which are caught by either (1), (2) or (3) must maintain an RoPA for the relevant processing. Any other processing can avail of the exemption and does not need to be recorded in a RoPA.
The Guidance makes it clear that the DPC views the RoPA as a vital document in evidencing organisations compliance with the GDPR, both in terms of Article 30 compliance and in complying with the data protection principles. This means that RoPAs must be continuously updated, contain granular detail and include input from the various business units in order to effectively evidence GDPR compliance.
In addition, the Guidance makes clear that the organisation as a whole is responsible for ensuring all business units feed into the completion and maintenance of the ROPA.
Organisations should now take advantage of the opportunity to review and amend their current RoPAs, especially given the exacting standards set out in the DPC’s guidance. Organisations should obtain legal advice in circumstances where they are unsure of what should be included in the RoPA or how to start their data mapping exercise.
For more information and expert advice on RoPAs, contact a member of our Privacy & Data Security team.
The content of this article is provided for information purposes only and does not constitute legal or other advice