Who Needs a ROPA and Why?

8 Jun

Table of Contents

Under the UK General Data Protection Regulation (UK GDPR), the majority of organisations processing personal data are required to create and maintain a formal record of processing activities (ROPA).  It is widely regarded as the core data protection compliance document. In this blog, we are going to address two fundamental questions:

  • Which organisations need to develop a ROPA?
  • Why is it necessary to create and maintain a ROPA?

Who needs a ROPA?

First, the easy bit.  In the UK, if your organisation has more than 250 employees, you are required to create and maintain a ROPA, no questions.  But, what about organisations with less than 250 employees?  Here it is less black and white: such organisations do not need  a ROPA, provided all of the following factors also apply.  If not, then the small organisation exemption is lost and a ROPA is required, just like larger organisations.  So, the 3 factors are:

  • The organisation only conducts data processing occasionally.
    An ‘occasional’ activity is interpreted as one that is not conducted regularly, e.g., informing clients of a one-off event.  However, if your organisation is involved in regular data processing, such as client management or payroll management, the exemption would not apply and you will need to complete a ROPA.
  • Processing is unlikely to pose a risk to the rights and freedom of data subjects.
    In order to demonstrate your organisation qualifies for this part of the exemption, you will need to conduct a risk assessment taking into account the scope and context of data processing.  Again, however, it is difficult to envisage many situations where processing of personal data does not pose some degree of risk.
  • No special categories of data are processed.
    Personal data which falls under the special category banner includes health and criminal records.  So, for example, if your organisation manages its own employees’ health records, this requirement of the exemption would not apply, and you will need to complete a ROPA.

Putting aside the legal requirements for one moment, it can be argued that having a ROPA in place simply represents good business practice for any organisation that processes personal data.  Such a record, in our opinion, represents the cornerstone of any privacy compliance framework.  It also plays a vital role in identifying risks associated with processing personal data and can be used to identify where data protection impact assessments (DPIAs) are required.  Let’s now look at some of the benefits of creating and maintaining a ROPA.

Why have a ROPA?

  • One of the key principles introduced by the UK GDPR is that of ‘accountability’, where data controllers are not only held responsible for ensuring that all privacy principles are adhered to, but also need to be able to demonstrate it.  Presenting your ROPA is a key tool in establishing your accountability for any request or investigation by the Information Commissioner’s Office (ICO).  In fact, if you get a visit from the ICO, your ROPA is likely to be the first compliance document the regulator will ask to see.
  • ROPAs are also pivotal in assisting organisations to comply with another key GDPR principle, that of data minimisation, where data controllers are required to only process the personal data they need.  In the process of producing a ROPA, you will identify and can remove any superfluous personal data from your systems.  This eliminates the need to secure non-essential data and focuses efforts on retaining and securing necessary personal information.
  • Complying with other aspects of data protection law (such as creating privacy notices, keeping personal data secure, enforcing retention schedules etc.) also becomes much easier if there is a ROPA in place.
  • Creating a ROPA enables you to record what information you have, where it’s kept and what you do with it, making it much easier to improve your information governance practices.
  • In creating your ROPA, you can identify any cases of duplications or divergences of data which enable you to build a single source of truth with records that are the most current, complete and accurate.
  • As mentioned, the ICO can ask to see your ROPA at any time.  Breaching the obligation to have a ROPA can, depending on the gravity of the infringement, incur a fine of up to £8.7m or 2% of an organisation’s annual worldwide turnover.

How URM can Help

If your organisation would benefit from help implementing these tips in order to achieve and maintain GDPR compliance, URM can leverage its extensive experience helping organisations comply with DP legislation to assist you in your compliance efforts.  The GDPR consultancy services we offer range across every aspect of compliance, from conducting gap analysis, providing remediation support, through to helping you produce a ROPA. We can also advise and support you in conducting a DPIA, as well as offering a virtual DPO service, which provides you with access to a team of practicing GDPR consultants.

If a data subject makes a data subject access request (DSAR) of your organisation, URM can help you process this request without any risk of noncompliance by providing a GDPR DSAR redaction service.  If you would like to learn more about these requests and how to process one yourself, we also offer a 1-day DSAR training course, led by a qualified and practicing GDPR consultant.  To learn more about other aspects of the Regulation and gain further, practical skills necessary for GDPR compliance, you can attend our half-day training courses on conducting DPIAs and data transfer impact assessments (DTIAs).

Does your organisation fully comply with the General Data Protection Regulation (GDPR)?

If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
Thumbnail of the Blog Illustration
Data Protection
Published on
Verifying the Identity of Someone Requesting Information Under the GDPR

We look at the requirement within both the DPA and the GDPR to verify the identity of an individual making a request before acting or releasing information

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
What is the GDPR?

The GDPR (EU) 2016/679 is an EU regulation which came into effect on 25 May 2018 and set a new benchmark for the processing of personal data.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
UK International Data Transfer Agreement

DTA and the UK Addendum to the current European Commission’s SCCs re the next steps in providing a transfer tool for complying with the UK GDPR.

Read more
We cannot thank URM enough for their help in ensuring our business is GDPR compliant. Both the gap analysis conducted and the in-depth assistance with the ROPA were made much easier and understandable with URM’s help. I would like to give particular thanks to URM's Consultant for providing us with the best guidance and making a famously complex topic comprehensive, and to our Account Manager for helping make sure all our needs were covered.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.