ROPA: Definition, Peculiarities, and When You Need It


Since 2018, matching the requirements stated by General Data Protection Regulation (GDPR) has become obligatory for all businesses. Working under these rules means being able to provide detailed information on personal data that was collected and processed. However, having all the data conveniently sorted and assessed is only half of what you need. In addition, you also require a suitable way to present it. ROPA, or Record of Processing Activities, is a specific list to store any data that you have previously collected so that regulators can analyze it. It's the essential storage that provides any information on activities, or more specifically, on the personal information you request and store, its purpose, and the ways you use to manage it. Thus ROPA is part of what is generally called documentation. Today, we'll take a closer look at ROPA and learn more about its structure and the parts you should fill in. Finally, we'll discover business groups that should deal with it. A spoiler: almost everyone should.

When do you need ROPA?

While most provisions of the GDRP apply to all EU citizens, the situation differs with ROPA. According to the rules, it's applied only to businesses with over 250 employees. But if you don't match the group, it's still too early to close this article. Below, you'll find some more nuances. There are several exceptions for smaller organizations that are still obliged to stick to ROPA. These include any institutions that do the following: Process personal data that can lead to the rights or freedoms of the data subjects. Constant (not occasional) processing specific data sets. Process data listed in Article 9, including religious beliefs, health data, race, ethnicity, biometrical data, or data related to criminal cases. If you have doubts about whether your business fits any of the groups, it's better to spend additional resources and complete ROPA. And it's not only about complying with legislation – ROPA also offers numeric concealed benefits.


The structure of a ROPA

Unfortunately, you can rarely take ROPA documentation completed by other companies of your size or industry as a template. It's all because the structure varies and, in some cases, can differ considerably. However, some EU states have developed templates that businesses can use. If you're successful enough to get one, you just need to fill it in manually, keep it updated and provide it when requested. Below, you can find the minimum set of information you need to include in ROPA: Contact data for appropriate parties, for instance, stakeholders, controllers, DPOs, or joint controllers. The legal purpose for processing the data. People whose data is collected, divided into groups (such as customers or employees) Collected personal data grouped by categories Details about the recipient if the personal data is shared Transfer details and any safety measures used to protect the data. After answering the core questions, you may also want to provide additional details showing your commitment to data privacy. These may include links to contracts, privacy policy notes, the data privacy assessment, your DRIA, and data breach details.

Which personal data to account

For ROPA, you should include any applicable data related to personal information your business collects, processes, and stores. It's important to keep track of the customers' data you handle. However, don't also forget to add the data of your employees or any related personnel. Here you can find all the main personal data you should include in ROPA: Any unique data such as passport information, ID, driver's license numbers, etc. Full names, or names. Any contact details: telephone numbers, emails, residence address. Card numbers ROPA is meant to contain any personal data in your process. So it's better to double-check the information and add it to the document. Below you can find an additional list of data that is usually less commonly used: Age Job information Gender Browser search history Geolocation Race or ethnicity In addition, don't forget to attach other less-obvious data, such as cookies and one-off forms derived from your marketing website.

Non-evident benefits of a ROPA

As stated above, keeping ROPA is not only essential but also useful. Learn which benefits you can receive while maintaining this documentation.

Data actualization and mapping

First and foremost, ROPA is the overall storage for data your business collects. Thus, it's a good place to view any data part to sort and manage it. It sometimes happens that multiple teams operate the same datasets. In this case, ROPA is the place to detect this, simplify, and reduce memory consumption. Keeping ROPA may be your main goal, but it doesn't mean the document can't hold additional functions helpful for your business.

Improving DevSecOps practices

ROPA is a kind of self-assessment and audit for your business. So one of its hidden benefits includes the capability to detect sensitive areas in your security. Thus, it helps identify weaknesses in access control, data retention policies, and even inconsistency of encryption methods. And so adding ROPA to the list of documentation you require helps to overall improve your DevSecOps. Doesn’t it sound like a good argument to consider it even if you don't need it under GDPR policy?

Improving communication in a team

Some businesses believe that conducting data audits is easily completed by DPO. But in reality, it’s a time- and resources-consuming process that involves all the personnel who deals with personal data. Thus adopting ROPA and regularly updating it helps your departments communicate more effectively. As a bonus, managing ROPA may seem a good benefit for your stakeholders because it helps them batter understand how the data is managed and stored.

To conclude

Even though ROPA is obligatory only for businesses with 250+ employees and smaller productions that fall into specific categories, considering implementing it a good option for everyone. The main benefit of ROPA is that it means conducting a complete audit of a business, and so it is a good option for those who want to detect some weaknesses and work on improving those. Filling in the ROPA document may include some complications and extra attentiveness. However, while knowing the core elements one needs to include, it becomes less difficult to miss any of them.

Answers from lawyer on Legal-Crew are not substitutes for the advice of an attorney. The lawyer does not apply the law to the facts of your situation, or propose you a specific cause of action, or provide opinions about your selection of forum, or review any information you provide to us for legal accuracy or sufficiency. The lawyer only provides general legal information. Before acting on the general legal information, you should hire an attorney licensed to practice law in the jurisdiction to which your question relates. Learn more.