Who Needs a ROPA and Why?

Who needs a ROPA?

First, the easy bit.  In the UK, if your organisation has more than 250 employees, you are required to create and maintain a ROPA, no questions.  But, what about organisations with less than 250 employees?  Here it is less black and white: such organisations do not need  a ROPA, provided all of the following factors also apply.  If not, then the small organisation exemption is lost and a ROPA is required, just like larger organisations.  So, the 3 factors are:

• The organisation only conducts data processing occasionally.
  An ‘occasional’ activity is interpreted as one that is not conducted regularly, e.g., informing clients of a one-off event.  However, if your organisation is involved in regular data processing, such as client management or payroll management, the exemption would not apply and you will need to complete a ROPA.
• Processing is unlikely to pose a risk to the rights and freedom of data subjects.
  In order to demonstrate your organisation qualifies for this part of the exemption, you will need to conduct a risk assessment taking into account the scope and context of data processing.  Again, however, it is difficult to envisage many situations where processing of personal data does not pose some degree of risk.
• No special categories of data are processed.
  Personal data which falls under the special category banner includes health and criminal records.  So, for example, if your organisation manages its own employees’ health records, this requirement of the exemption would not apply, and you will need to complete a ROPA.

Putting aside the legal requirements for one moment, it can be argued that having a ROPA in place simply represents good business practice for any organisation that processes personal data.  Such a record, in our opinion, represents the cornerstone of any privacy compliance framework.  It also plays a vital role in identifying risks associated with processing personal data and can be used to identify where data protection impact assessments (DPIAs) are required.  Let’s now look at some of the benefits of creating and maintaining a ROPA.

‍

‍

Why have a ROPA?

• One of the key principles introduced by the UK GDPR is that of ‘accountability’, where data controllers are not only held responsible for ensuring that all privacy principles are adhered to, but also need to be able to demonstrate it.  Presenting your ROPA is a key tool in establishing your accountability for any request or investigation by the Information Commissioner’s Office (ICO).  In fact, if you get a visit from the ICO, your ROPA is likely to be the first compliance document the regulator will ask to see.
• ROPAs are also pivotal in assisting organisations to comply with another key GDPR principle, that of data minimisation, where data controllers are required to only process the personal data they need.  In the process of producing a ROPA, you will identify and can remove any superfluous personal data from your systems.  This eliminates the need to secure non-essential data and focuses efforts on retaining and securing necessary personal information.
• Complying with other aspects of data protection law (such as creating privacy notices, keeping personal data secure, enforcing retention schedules etc.) also becomes much easier if there is a ROPA in place.
• Creating a ROPA enables you to record what information you have, where it’s kept and what you do with it, making it much easier to improve your information governance practices.
• In creating your ROPA, you can identify any cases of duplications or divergences of data which enable you to build a single source of truth with records that are the most current, complete and accurate.
• As mentioned, the ICO can ask to see your ROPA at any time.  Breaching the obligation to have a ROPA can, depending on the gravity of the infringement, incur a fine of up to £8.7m or 2% of an organisation’s annual worldwide turnover.

‍