Who Needs a ROPA and Why?
Under the UK General Data Protection Regulation (GDPR), the majority of organisations processing personal data are required to create and maintain a formal record of processing activities (ROPA). It is widely regarded as the core data protection compliance document. In this, the first of two blogs on ROPAs, we are going to address two fundamental questions:
- Which organisations need a ROPA
- Why is it necessary to create and maintain a ROPA?
Who needs a ROPA?
First, the easy bit. In the UK, if your organisation has more than 250 employees, you are required to create and maintain a ROPA, no questions. But, what about organisations with less than 250 employees? Here it is less black and white, however, organisations will still need to have a ROPA unless they can demonstrate one of the following:
- The organisation only conducts data processing occasionally
An ‘occasional’ activity is interpreted as one that is not conducted regularly, e.g., informing clients of a one-off event. However, if your organisation is involved in regular data processing, such as client management or payroll management, this exemption would not apply and you will need to complete a ROPA
- Processing is unlikely to pose a risk to the rights and freedom of data subjects
In order to take advantage of this exemption, you will need to conduct a risk assessment taking into account the scope and context of data processing. Again, however, it is difficult to envisage many situations where processing of personal data does not pose some degree of risk
- No special categories of data are processed
Personal data which falls under the special category banner includes health and criminal records. So, for example, if your organisation manages its own employees’ health records this exemption would not apply and you will need to complete a ROPA.
Putting aside the legal requirements for one moment, it can be argued that having a ROPA in place simply represents good business practice for any organisation that processes personal data. Such a record, in our opinion, represents the cornerstone of any privacy compliance framework. It also plays a vital role in identifying risks associated with processing personal data and can be used to identify where data protection impact assessments (DPIAs) are required. Let’s now look at some of the benefits of creating and maintaining a ROPA.
Why have a ROPA?
- One of the key principles introduced by the UK GDPR is that of ‘accountability’, where data controllers are not only held responsible for ensuring that all privacy principles are adhered to, but also need to be able to demonstrate this. Presenting your ROPA is a key tool in establishing your accountability for any request or investigation by the Information Commissioner’s Office (ICO).
- ROPAs are also pivotal in assisting organisations comply with another key GDPR principle, that of data minimisation, where data controllers are required to only process the personal data they need. In the process of producing a ROPA, you will identify and can remove any superfluous personal data from your systems. This eliminates the need to secure non-essential data and focuses efforts on retaining and securing necessary personal information.
- Complying with other aspects of data protection law (such as creating privacy notices, keeping personal data secure, enforcing retention schedules etc.) also becomes much easier if there is a ROPA in place.
- Creating a ROPA enables you to record what information you have, where it’s kept and what you do with it, making it much easier to improve your information governance practices.
- In creating your ROPA, you can identify any cases of duplications or divergences of data which enable you to build a single source of truth with records that are the most current, complete and accurate.
- As mentioned, the ICO can ask to see your ROPA at any time. Breaching the obligation to have a ROPA can, depending on the gravity of the infringement, incur a fine of up to £8.7m or 2% of an organisation’s annual worldwide turnover.
URM has been involved in assisting a wide range of organisations develop and maintain their ROPA. In our follow-up blog, we will be providing some valuable tips on the procedure to follow in establishing your ROPA.