The Data Protection Commission conducted a Register of Processing Activities (RoPA) sweep in early 2022 whereby they engaged with 30 organisations both in the public and private sector to identify common issues with maintenance of RoPA’s and they have come out with some guidance based on their findings.
But firstly, what is a Register of Processing Activities, and who needs to keep one?
Under GDPR, a controller must keep a record of any personal data that it processes and document certain aspects of how that data is processed, for example the type of security in place, who it is shared with, etc.
In our experience, many organisations are not aware of their obligation to maintain a Register of Processing Activities, so this guidance is very welcome. The following are our main takeaways from the guidance;
1. There are exemptions to the exemptions
There is an exemption in place whereby an organisation that employs fewer than 250 people is not obliged to keep the register, which many rely upon. However this exemption does not apply to processing of the following;
- Processing that is likely to result in a risk (and not just a high risk) to the rights and freedoms of data subjects. By way of example, this would include the processing of mortgage applications, the use of artificial intelligence, and the tracking of an individual’s location.
- Processing that is not occasional, such as HR or pay related processing for employees or
- Processing that includes special categories of data or personal data relating to criminal convictions and offences. This would include Garda vetting, trade union membership, or biometric data processing.
What is interesting is that the Data protection Commission in their guidance have clarified that the ROPA is required only on processing in these particular types of data and not all processing the organisation may carry out so that will save time and resources.
2. Buy in is King
Buy in is required across the entire organisation in order to fulfil the requirements of a ROPA; it is not a task that should sit solely with on person within the organisation as there is potential that processing activities may be missed. Education is key to ensuring that all stakeholders understand what the requirements are and each business function should set out who is responsible for collating and maintaining the information for the ROPA. This is ultimately achieved by carrying out a data mapping exercise.
3. Don’t let it collect dust
A RoPA is a live document that is continuously updated, it should be covered as part of employee training so that any new products or services can be added as they are rolled out.
4. Summaries don’t cut it
Be detailed with your ROPA – general terms such as personal data or responses to questions are not sufficient. Likewise, using terms such as technical and organisational measures in the security section is not enough, specifics in this area as to the type of security measures in place is a must.
5. Don’t over complicate things
Don’t overuse hyperlinks to other documents, a ROPA should be a one stop shop when it comes to information and linking documents such as retention schedules or other documents just makes it confusing.
6. A Visual is available for all us spatial learners
The Guidance issued by the DPC also gives excellent illustrative examples of what a good ROPA looks like and also what organisations should avoid.
7. As always, another round of reviews could take place – be vigilant
Organisations should note that the DPC may carry out similar compliance sweeps in the future. The DPC may also request the RoPA from a controller as part of other regulatory activities being carried out, including but not limited to, breach notification management, complaint handling, Inquiries and investigations
Conclusion
Overall this is a very welcome document, particularly the common sense element of the do’s and don’ts. The DPC issues their Records of Processing Activities (RoPA) under Article 30 GDPR.pdf (dataprotection.ie) in easy to understand language and are never too lengthy so are worth a read for any budding DPO’s. The illustration is also a welcome guide particularly for smaller organisations who can’t afford to splash out on technology.