Are your records of processing up to scratch?

December 2021

5 top tips how to help you keep your RoPA accurate and up to date

Most people don’t find documentation and record keeping a great deal of fun. But nevertheless maintaining effective records of your data processing (often known as ‘Records of Processing Activities’ or RoPA) is an important obligation under data protection law.

These records helps us to keep track of what personal data is held within the organisation and what it’s used for.

The record keeping requirements under GDPR apply to both controllers and processors. These requirements include keeping records covering:

  • the categories of personal data held
  • the purposes of processing
  • any data sharing
  • retention periods
  • the technical and organisational measures used to protect the data…and more…

Even smaller organisations with less than 250 employees still have certain record keeping responsibilities, which should not be overlooked. But they may benefit from a limited exemption. Smaller organisations only need to document their processing which is:

  • not occasional (therefore all the frequent processing must still be documented);
  • or could result in a risk to the rights and freedoms of individuals;
  • or involve the processing of special categories of personal data or criminal conviction / offence data.

The specific requirements for record keeping are detailed and it’s an area many businesses have found challenging, especially keeping records up to date.

Our 5-step guide to keeping your data records complete and up-to-date

1. Why? – The need for accurate records

Creating your records of processing and keeping them updated is important. If records are allowed to become outdated you can quickly lose track of the breadth and depth of your processing. Resulting in to uncertainty when you most need it.

After all, if you don’t know about certain processing or hold any record of it, how can you possibly help the business to protect that data?

For example, your RoPA should be the first place to look if you suffer a data breach, helping you to identify;

  • the categories of individual
  • the sensitivity of the data
  • what purposes it’s used for
  • names of the internal data owners
  • data processors involved
  • who the data was shared with
  • what safeguards should have been in place to protect it… and so on…

It can also be helpful to reference your RoPA when handling individual rights requests.

If requested you might need to make your records available to the ICO, so you’d want to be sure they are in good shape. Allowing them to get out of date makes the job of getting them back into order all the more difficult.

2. Who? – Compile an up-to-date list of internal data owners

Firstly, it’s helpful to enlist the support of your Board, as you’ll need help from all business function heads and data ‘owners’ to tell you about their changes to processing and notify you of new data service providers . So you can to keep the RoPA refreshed over time.

Make sure you have a complete list of who is accountable for personal data processing within all your key business functions – the data owners. For example, Human Resources (employment & recruitment data), Sales & Marketing (customer / client data), Procurement (supplier data), Finance, and so on. Each accountable owner for these functions needs to understand their role in record keeping.

No DPO or data protection team can create and maintain the records their own – they need the support of others.

3. What? – Make sure you’re capturing all the right information

Check you’re capturing all the RoPA requirements. These are slightly different if you act as a controller or processor – or indeed both. If you need to check take look at the ICO’s guidance on documentation.

4. How? – Regular engagement with your stakeholders

Building a healthy two-way dialogue with data owners (and other stakeholders) is essential, not only for record keeping but many other data protection tasks. They will be best placed to tell you what data they hold, what it’s used for and what measures they use to protect it.

5. When? – New processing

There’s always some new system, processing activity or change of suppliers, isn’t there? You should aim to update your records whenever you identify new processing or changes to existing processing – including identifying when you need carry out a DPIA or LIA. Good stakeholder relations can really help with this.

I hope this short guide helps you to keep your own records up to scratch. I do find sharing the message about how helpful the RoPA can be if you suffer a data breach, or receive a data subject access request, can motivate others to support you with this important task. Good luck!

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.