Under the UK General Data Protection Regulation (UK GDPR), the majority of organisations processing personal data are required to create and maintain a formal record of processing activities (ROPA). It is widely regarded as the core data protection compliance document. In this blog, we are going to address two fundamental questions:
- Which organisations need to develop a ROPA?
- Why is it necessary to create and maintain a ROPA?
Who needs a ROPA?
First, the easy bit. In the UK, if your organisation has more than 250 employees, you are required to create and maintain a ROPA, no questions. But, what about organisations with less than 250 employees? Here it is less black and white: such organisations do not need a ROPA, provided all of the following factors also apply. If not, then the small organisation exemption is lost and a ROPA is required, just like larger organisations. So, the 3 factors are:
- The organisation only conducts data processing occasionally.
An ‘occasional’ activity is interpreted as one that is not conducted regularly, e.g., informing clients of a one-off event. However, if your organisation is involved in regular data processing, such as client management or payroll management, the exemption would not apply and you will need to complete a ROPA.
- Processing is unlikely to pose a risk to the rights and freedom of data subjects.
In order to demonstrate your organisation qualifies for this part of the exemption, you will need to conduct a risk assessment taking into account the scope and context of data processing. Again, however, it is difficult to envisage many situations where processing of personal data does not pose some degree of risk.
- No special categories of data are processed.
Personal data which falls under the special category banner includes health and criminal records. So, for example, if your organisation manages its own employees’ health records, this requirement of the exemption would not apply, and you will need to complete a ROPA.
Putting aside the legal requirements for one moment, it can be argued that having a ROPA in place simply represents good business practice for any organisation that processes personal data. Such a record, in our opinion, represents the cornerstone of any privacy compliance framework. It also plays a vital role in identifying risks associated with processing personal data and can be used to identify where data protection impact assessments (DPIAs) are required. Let’s now look at some of the benefits of creating and maintaining a ROPA.
Why have a ROPA?
- One of the key principles introduced by the UK GDPR is that of ‘accountability’, where data controllers are not only held responsible for ensuring that all privacy principles are adhered to, but also need to be able to demonstrate it. Presenting your ROPA is a key tool in establishing your accountability for any request or investigation by the Information Commissioner’s Office (ICO). In fact, if you get a visit from the ICO, your ROPA is likely to be the first compliance document the regulator will ask to see.
- ROPAs are also pivotal in assisting organisations to comply with another key GDPR principle, that of data minimisation, where data controllers are required to only process the personal data they need. In the process of producing a ROPA, you will identify and can remove any superfluous personal data from your systems. This eliminates the need to secure non-essential data and focuses efforts on retaining and securing necessary personal information.
- Complying with other aspects of data protection law (such as creating privacy notices, keeping personal data secure, enforcing retention schedules etc.) also becomes much easier if there is a ROPA in place.
- Creating a ROPA enables you to record what information you have, where it’s kept and what you do with it, making it much easier to improve your information governance practices.
- In creating your ROPA, you can identify any cases of duplications or divergences of data which enable you to build a single source of truth with records that are the most current, complete and accurate.
- As mentioned, the ICO can ask to see your ROPA at any time. Breaching the obligation to have a ROPA can, depending on the gravity of the infringement, incur a fine of up to £8.7m or 2% of an organisation’s annual worldwide turnover.
If your organisation has more than 250 employees, you are required to create and maintain a ROPA, no questions.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs ROPAs, privacy notices, data retention schedules and training programmes etc.
In this blog, we will outline a step-by-step procedure on how you can create a ROPA.
The need for guidance on how organisations should best protect privacy and manage personal information has never been more pertinent.
There is some confusion about the difference between personal data and sensitive personal data and even whether sensitive personal data exists as a term!