Record of Processing Activities: Pros and Cons

Should it be mandatory for organisations to maintain a Record of Processing Activities (RoPA)?

One of the areas attracting interest under the UK Government’s proposals to reform UK data laws is a relaxation of the requirements for record keeping.

Under the UK GDPR, organisations are required to document their data processing activities. For businesses of 250 employees or more these records should meet a number of specified requirements.  Smaller organisations which carry out special category or ‘high risk’ processing are required to document these activities.

That’s regardless of whether you’re acting as controller or processor.

The Government is proposing to remove mandatory record keeping requirements.

Yes, you heard that right… the idea is to replace these with a more flexible requirement to maintain records as part of a Privacy Management Programme (PMP). So in effect, records will still be needed, but there may be more flexibility about how you go about it.

Organisations would be able decide on the right level of detail they need in their own records, taking into account the volume and sensitivity of the personal information they handle.

Therefore, organisations handling simple or fairly routine processing activities could, in theory, keep simpler, less onerous, records of those activities.

Sound like a welcome easing of ’box ticking’?

Why is record keeping important?

Record keeping is often regarded amongst privacy professionals as one of the most fundamental and necessary requirements of the GDPR.

It requires organisations to map and record the personal data they hold across the organisation, including what personal data assets are used, where it is stored, what it’s used for, who it’s shared with and what measures & controls are in place to protect it.

The problem many organisations face is that creating and maintaining these records (in line with GDPR Article 30 requirements) can be onerous and time consuming.

As data is typically used by many different business functions, the process requires the support of stakeholders across all the business functions that process data.

But once in place, your Record of Processing Activities (or RoPA) can really give you a solid advantage to help you meet some of the most important data protection standards.

Six benefits of robust record keeping

1. Transparency – Getting to grips with your processing activities enables you to create a clear and accurate privacy notice(s). With good records in place, you can be confident you’ve identified all the types of processing which need to be covered in your privacy notices.

2. Individual rights – When you receive a Subject Access Request, your records can really help to locate and access the specific data required to fulfil the request.

3. Risk awareness and management – Knowing and recording your processing activities allows you to properly understand the full breadth and sensitivity of your processing. That’s vital to identify where your privacy and security risks lie, so you can establish your priorities.

4. Fair and lawful processing – Confirming and recording which lawful basis (or bases) you’re using for each processing task enables you to make sure you’re meeting the relevant conditions.

5. Keep track of your data processors – Logging all your processors helps you keep on top of contractual requirements and international data transfers.

6. Data breach – Your records could be very useful if and when you suffer a data breach. They can help you to identify what personal data may have been exposed and how sensitive that data is, helping you quickly conduct a risk assessment and decide how best to act.

OK so there’s many positives, but what are the challenges organisations face trying to comply with the current rules?

Six downsides of the GDPR-based approach to record keeping

1. Complexity – The level of detail required makes the records time consuming to create.

2. Resources – Maintaining records which meet GDPR requirements requires resources and is an on-going challenge.

3. Ownership – The data protection team can’t do this on their own. You are likely to need to appoint people across different business function to take ownership of maintaining records within their function.

4. One size doesn’t fit all – Organisations all operate differently and are engaged in widely differing processing activities. Some smaller businesses may carry out highly-sensitive activities. Bigger organisations that fall under the mandatory requirement may not. The current ‘standard template’ approach lacks flexibility.

5. Cost – Due to the current level of complexity, some businesses have felt the need to invest in a privacy technology solution to help them create and manage their processing records. So for those businesses there’s a cost consideration.

6. Staying up to date – Left unmanaged your records quickly become outdated and useless.

In Summary…

More flexibility around record keeping would be a practical move, allowing for organisations to adopt a more tailored and proportionate approach.

However, there’s the risk removing mandatory requirements could lead to record keeping ‘falling off the radar’ and data protection teams could get less traction within the business.

We should not ignore the very valuable role which our records can play. If this proposal goes ahead, we should take care not to over-simplify our records too much.

Perhaps a mid-way solution could work – keeping mandatory requirements to maintain records, but removing the prescribed list of what should be in them?

I think the ROPA may well be an area whether there is a 50 / 50 split between those who see the benefit of keeping mandatory requirements and those that would appreciate more flexibility.