How to keep your records of processing up to date
One of the more onerous obligations under GDPR was the requirement for many organisations to maintain a Record of Processing Activities (RoPA). I stress the word ‘maintain’, as this isn’t a one-off exercise.
Even smaller organisations still have certain record keeping responsibilities, which should not be overlooked.
The specific requirements for record keeping are detailed and it’s an area many businesses have found challenging, especially keeping records up to date.
Here’s my quick 5-step guide to keeping your RoPA fresh and complete.
1. Why? – The need for ongoing updates
Keeping your records updated is really important. It’s a good idea to enlist the support of your Board as you’ll need help from all business function heads to tell you about their changes to processing, notify you of new data service providers and to keep the RoPA refreshed over time.
Failure to do so can lead to a loss of understanding about the true breadth of your processing, resulting in to uncertainty when you most need to refer to your records. After all, if you don’t know about certain processing or hold any record of it, how can you possibly help the business to protect that data?
For example, your RoPA should be the first place to look if you suffer a data breach, helping you to identify;
- the categories of individual
- sensitivity of the data
- what it’s used for
- who the data owners are
- who it was shared with
- what safeguards should have been in place to protect it… and so on.
It can also be helpful to reference your RoPA when handling individual rights requests.
If requested you might need to make your records available to the ICO, so you’d want to know they are in good shape. Getting behind, letting them get out of date makes the job of getting them back into order all the more difficult.
2. Who? – Is your list of data owners / stakeholders up to date?
Make sure you have a complete list of who is accountable for each of the personal data assets in your organisation? For example, employee & recruitment data, customer data, supplier data, financial data, etc. They need to understand their role in record keeping.
No DPO, or data protection team can do this on their own, they need the support of others.
3. What? – Make sure you’re capturing all the right information
Check you’re capturing all the RoPA requirements, which are slightly different if you act as a controller or processor (or both). If you need to check take look at the ICO’s guidance on documentation.
4. How? – Regular engagement with your stakeholders
Building a good two-way dialogue with your data owners & other stakeholders is essential not only for record keeping but many other data protection tasks. They will be close to coalface in terms of what data they have, what it’s used for and what measures they use to protect it.
5. When? – New processing
Have you updated records for all the new processing and changes to processing you’re aware of? You should be updating them whenever you identify new processing or changes to processing, including when you carry out a DPIA or LIA. Good stakeholder relations can really help you with this.
I hope this helps you with ways to keep your own records up to speed. I do find sharing the message about how helpful the RoPA can be if you suffer a data breach can motivate others to support you in this important task. Good luck!
Simon Blanchard, July 2020
If you need some practical advice in creating, maintaining or reviewing your Record of Processing Activities GET IN TOUCH
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.