RoPA stands for Record of Processing Activities and describes how your company uses the data, the measures taken to protect it, who is affected by processing it, the recipient of it, and data processors. It also includes fundamental risk analysis.
Soveren has created a tool to help you document your record of processing activities.
Complete your RoPA
Log in to your Soveren account and you will see a section to create your RoPA in the left-hand bar. Navigate to this section and add a new activity.
Let's now run through the step-by-step process to completing your record of processing activities. While you are in Soveren’s RoPA tool, you are provided with hints. You can save your progress at any time and come back later to finish or update it.
Complete the main section
- Enter in your processing activity name, whether customer support, some kind of sales and marketing activity (such as online marketing), or other (the name is just a reference for your future use, so feel free to name it as you wish).
- Then indicate your processing purpose: the reason you process personal data, for example, if you are documenting customer support activities: “Advertisements and promotions by email and push notifications, excluding direct, offline advertising”.
- Following this, you need to add any systems you use for processing personal data, such as Zendesk (for customer support).
- Indicate the person responsible for the processing activity: the customer support manager.
- Complete the categories of data subjects, the categories of people whose personal data is being processed, for example: “Web users”.
- Now enter the categories of personal data being processed, for example: “Content of communications and emails”.
- Then add the link to a description of security measures that ensure the safety of the processing activity, for example, the link to a PDF file containing risk assessment and mitigation measures.
- Add the expected period you store and/or process personal data until you legally have to erase it, for example, “Until objection to the processing or 1 year after the last action on the service, whichever is earlier”.
- If you transfer or disclose personal data to third countries and/or international organizations, you need to enter these third parties and the countries in which they are located, for example: “US, XYZ World Insurance”.
- Depending on whether you transfer personal data outside the EEA, you need to enter the basis for doing so, for example: “Standard contractual clause (SCC)”.
By completing the above 10 steps you will be well on your way to documenting activities that require a RoPA.
Complete the additional section
The additional 7 steps below may be completed should you have access to this information:
- Add the legal basis for processing personal data, such as “Legitimate interest”.
- Should you process data jointly with others, cooperatively determining the purpose and means for data processing, you need to add these organizations.
- Should you disclose personal data to third-party recipients you need to add these companies
- If you are a controller and have processors handling data on your behalf, indicate the processor (company) for this data.
- While not strictly speaking necessary under Article 30, you can also keep track of the subprocessors used by your processors that you listed in step 4; this can be useful if you wish to make sure whether the data is leaving the EEA.
- Before starting your data processing activity, you will have conducted a threshold test for carrying out a full data processing impact assessment (DPIA); place a link to the outcome of this threshold analysis.
- Lastly, if the outcome of your threshold analysis indicated that you should complete a DPIA, provide the link to the document where the analysis took place.
The record is audit ready should the regulators come knocking and provides you with a great framework to boost the effectiveness of your data privacy operations.