How to Create a Record of Processing Activities (ROPA)

The UK GDPR requires most organisations processing personal data to create and maintain a formal record of all the processing activities involving personal data which they undertake.  Known as the Record of Processing Activities or ‘ROPA’, it is the organisation’s core data protection compliance document. 

The law permits organisations with less than 250 employees to decide if they wish to create and maintain a ROPA if certain strict conditions also apply.  However, it is best practice for any organisation that processes personal data to have a ROPA in place because the ROPA is a cornerstone of any organisation’s privacy compliance framework.  It is also a very useful data risk identification tool, which organisations can use to inform the data protection impact assessments (DPIAs) they carry out.

Creating a ROPA will involve understanding and capturing processing activities throughout an organisation.  In this blog, we will outline a step-by-step procedure on how you can create a ROPA.

First, let’s briefly look at some of the benefits of creating and maintaining a ROPA:

  • As stated, for most businesses, it’s the law.  It is also quite simply the best way to demonstrate what you are doing in line with the UK GDPR’s ‘accountability’ principle.  This principle essentially expects organisations to have evidence of their compliance with the UK GDPR.  The Information Commissioner’s Office (ICO) will almost certainly ask to see your ROPA in the event of an investigation.  The ICO can also ask to see an organisation’s ROPA at any time and the organisation must supply it to them ‘on request’.
  • The process of creating a ROPA will involve data discovery, and this often results in organisations realising they are collecting certain categories of personal data that serve no specific purpose – which is a breach of the ‘purpose limitation’ principle of the UK GDPR.
  • Organisations with ROPAs are better able to validate that data they are acquiring and storing has business value.  They can then remove the superfluous personal data from their systems.  This eliminates the need to secure unneeded data and focuses efforts on personal information holding business value.  This ensures that data being processed is only what is required for a specific purpose – this satisfies the ‘data minimisation’ principle of the UK GDPR which requires organisations to only process the personal data they need.
  • Complying with other aspects of data protection law (such as creating privacy notices and keeping personal data secure, enforcing retention schedules etc.) also becomes much easier. 
  • Creating a ROPA enables organisations to record what information they have, where they keep it and what they do with it, making it much easier to improve their information governance practices.
  • In creating the ROPA, you can identify cases of the same types of data being saved and updated in different locations at different times, which can make it impossible to identify which records are the most current, complete, and accurate. Once you identify these duplications and divergences, you can build a single source of truth that allows you to get more business value from your data.

Creating a ROPA

There is no one way of creating a ROPA. What we present below is a suggested procedure that with our support, our clients have found useful.

  • Appoint and train privacy champions – Admittedly, this may not apply to all organisations. If your organisation is sizeable and has several departments, then it is best to appoint and train privacy champions.  Their role will be to work with the organisation’s data protection lead in creating the ROPA.  A privacy champion does not have to be a member of senior management, but it is often best if it is someone who can later take some responsibility for data protection compliance within a department.  The data protection champion can be the head of a department, since they will know how the department works and where any personal data concerns may reside.    
  • Identify all processing activities – Let’s emphasise that you should only focus on those processes involving personal data.  The most effective way, depending on the size of the organization, is to base them on business departments, e.g., Finance, HR, Customer Services etc.  This exercise aims to gain a thorough understanding of all processing activities in the organisation.  The data protection lead, working in collaboration with the privacy champions, may need to talk to the various heads of departments to build a comprehensive and accurate picture of all processing activities. Depending on the variety of processing activities within each department, it may be necessary for the data protection lead and privacy champions to talk to individual process owners as well.  This allows for a systematic and thorough coverage.
  • Answer the key questions – In creating a ROPA, an organisation must, at a minimum, aim to answer the following key questions about personal data it processes:
    1. What categories of personal data are we processing?
    2. Who does the data relate to e.g., customers, employees and suppliers? Also, who are the process owners responsible for the data?  In addition, which organisations are we sharing data with and are any located outside the UK or EEA?
    3. Why is the personal data being processed? What is the purpose of processing and what are the lawful grounds?
    4. Where is the data held?
    5. When will the data be deleted from our system i.e., what are the retention periods?
    6. How is the data protected e.g., what are the security measures, IT systems, appropriate safeguards for transfers abroad etc?
  • Record the information – The information must be recorded and kept in an easily accessible format.  URM recommends keeping the ROPA in an electronic format.  The ICO has a useful template that organisations can adapt to suit their specific circumstances.
  • Keep it up to date – The ROPA is a snapshot of the current state of your processing activities.  Since organisations are always changing, the ROPA can only continue to deliver value if it is kept up to date.  A quarterly review and update is always helpful. Internal and external triggers for a review include new requirements from data privacy regulations, new IT applications, new processing activities planned, changes in data processors and/or their contact information, changes arising from mergers or acquisitions, changes in department responsibilities or clarifications of existing data privacy laws.  Process owners and privacy champions must, therefore, ensure that data protection is made a standing item on all team meeting agendas, so that when any of these trigger events occurs, the need for the ROPA to be amended or updated is communicated to the organisation’s data protection lead.