Originally published in March 2019. Updated in August 2020.
In 2018, companies were first introduced to the concept of a Record of Processing Activities (ROPA). As part of GDPR compliance, organizations are required to create and maintain this document, which includes the purposes of processing personal data, the parties to whom you are disclosing the data, how long you will retain the data, and other details (see Article 30). Now, as US businesses are beholden to a growing number of privacy regulations like CCPA and its possible amendment CPRA, maintenance of a ROPA is even more important.
We work with clients to create ROPAs as part of their data privacy readiness plans, and this process frequently reveals new insights into their data management practices. These insights can yield positive outcomes on multiple levels and help you better manage your data. As a result, the ROPA process is beneficial regardless of which regulations apply to you—and in addressing new regulations as they appear.
What is a Record of Processing Activities (ROPA)?
A Record of Processing Activities (ROPA) is a record of an organization’s processing activities involving personal data. Some businesses may think of “processing” as being limited to active events, but a ROPA must also cover data that sits on a server or a shelf.
A ROPA includes the following information for each processing activity:
- • Names and contact details of the data controller, data processor, data controller's representative, joint controller, and data protection officer (DPO), if applicable
- • Purpose (i.e., lawful basis) of processing personal data
- • Categories of data subjects and categories of personal data being processed
- • Categories of recipients to whom the personal data has been or will be disclosed
- • Third parties in other countries or international organizations who receive the personal data
- • Retention schedule for each category of personal data
- • General description of technical and organizational security measures related to each processing activity
A completed ROPA lists each processing activity involving personal data and provides detailed information about each of the items listed above. While this may sound like a simple task, even building a complete list of processing activities is often a complex and time-consuming endeavor, involving detailed documentation reviews and multiple rounds of interviews with business users and IT. Larger organizations may want to create individual ROPAs for each department or line of business, and then roll up into a master enterprise-level record.
Due to the high volume of their processing activities involving personal data, midsize-to-large companies will likely need a data discovery tool to begin pulling together and organizing the various elements of the ROPA. Smaller organizations may want to start with a spreadsheet containing one row per processing activity (e.g. “Candidate offer of employment”) and one column for each of the fields listed above. Here’s a portion of an example from one of our projects:
Record of Processing Activities template
Get the FREE ROPA template as pictured above
Benefits beyond compliance
For companies covered by the ROPA requirement, creating and maintaining this record is a necessary part of their readiness plan. However, the ROPA process may represent the first time an organization takes a close look at their data processes from an enterprise-wide perspective — specifically, identifying the “what” (categories of personal data), the “who” (departments and contacts responsible for the data), the “why” (purposes of processing), the “where” (data proliferation), the “when” (time limits for retention) and the “how” (IT systems and applications, security measures, etc). While data discovery tools can be instrumental in identifying the “what” and the “where” of personal data, you will still need to determine the “why” and the “how” for each activity. By making these determinations in creating a ROPA, you can take the first step towards implementing sound data management practices across the organization.
Here are a few of the additional benefits we’ve identified for clients as we helped them create their ROPAs:
In creating your ROPA, you can identify cases of the same types of data being saved and updated in different locations at different times, which can make it impossible to identify which records are the most current, complete, and accurate. Once you identify these redundancies, you can build a single source of truth that allows you to get more business value from your data.
Prepare to respond to data subject requests
If a data subject requests access to or deletion of her personal data, the ROPA can help you identify where the category of the data is located and how it’s being processed. Having this information readily available can enable you to respond to data subject requests promptly and accurately.
Plan for data retention
The ROPA’s “time limits for erasure” column requires stakeholders to think about their data retention schedule. For decades, organizations amassed data without considering how long it would continue to be relevant or useful. They created enormous data lakes that raise security risks and hamper their ability to leverage data in supporting business objectives if information cannot be located quickly or if there is any confusion over which data is the most current, accurate, and relevant. Thinking strategically about data retention schedules and implementing time limits allows the organization to control “data swell” and better leverage its data as a strategic asset.
Streamline data collection
Through the process of data discovery, some organizations realize they have been collecting certain categories of personal data that serve no specific purpose, and the ROPA can serve to validate that data being acquired actually has business value. By removing extraneous categories from their data-gathering processes, businesses can streamline their procedures, eliminate the need to secure unneeded data, and focus their efforts on data that helps them better understand their customers and that supports other business goals such as data minimization.
A living document
Technology is always changing, and so is your business. While the act of creating a ROPA is a best practice, the document can only continue to deliver value if you keep it up to date. When we work with clients, we recommend that their data governance committee review the ROPA at least once a quarter and update it as necessary.
Internal and external triggers that might require a ROPA update include changes arising from mergers or acquisitions, new requirements from new data privacy regulations, clarifications of existing data privacy laws, new activities, changes in department responsibilities, changes in data processors and/or their contact information, new sources or uses of data, new applications, and other changes that impact personal data processes.
How to get started with ROPA
Your investigation into your data processing activities can begin with documentation you may have on hand: data privacy/security survey results, IT system documents, (in larger organizations) output from data discovery tools, etc. However, in our experience, gaining a thorough understanding of how an organization uses data requires sitting down and talking to the people who work with it, both in individual lines of business and in IT. Skipping this step can cause you to miss out on vital information that you need to build a comprehensive, accurate ROPA.
To cite an example, in interviewing one client’s team, we discovered a shared drive that had not appeared in survey responses regarding personal data. IT knew about the shared drive but was unaware that any personal data was being stored there. In another engagement, interviews revealed that our client was gathering observed personal data of users who played an online game with friends. This did not show up on their survey results, so it was previously not considered in assessing the impact of data privacy laws on the organization.
(Data) knowledge is power
The more you know about your data, the more effectively and efficiently you can use it to achieve your business goals. Creating and maintaining a ROPA (whether you’re required to or not) gives your organization a single source for answers to key questions about the personal data in your organization: what, who, why, where, when, and how. The insights contained in your ROPA provide the necessary foundation not only for aligning with data privacy requirements, but also for implementing sound data management practices across the organization.
General Manager of Data Privacy Jill Reberis a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, Information Management, the American Bar Association, and other national and international organizations.