In response to rising demand, The DPO Centre, the UK’s data protection officer resource centre, has produced a white paper outlining best practice for building a Record of Processing Activities (RoPA) document.
The paper provides clarity on the requirements and step-by-step guidance for organisations looking to document their processing activities.
Results from this quarter’s UK Data Protection Index, a quarterly online survey sponsored by The DPO Centre, asks its panel of over 400 UK Data Protection Officers to indicate their biggest data protection challenges. Consistently in the top three of these concerns is accountability.
Since coming into force in 2018, the GDPR has required organisations to be accountable for the personal data they process. To achieve this, there has to be a robust compliance framework in place. The responsibility lies with the Data Controller (i.e. the organisation responsible for deciding the means and purpose of processing), to ensure adequate records are kept to demonstrate that you comply with the accountability requirements of the legislation.
Whilst the GDPR mandates that only organisations with more than 250 employees are required by the law to create a RoPA, all companies wanting to better understand their data processing landscape are encouraged to construct a RoPA. The DPO Centre’s new white paper, which features helpful sample templates and outlines a step-by-step approach to implement a RoPA, starts with the question, why do you need (or want) a RoPA? It helps establish the resources required, the level of input needed by management and outlines the content to potentially include.
When asked why constructing a RoPA is so important, Rob Masson, CEO of The DPO Centre answered “Being able to demonstrate compliance requires organisations to be more transparent than ever before about their processing of personal data. Building your Records of Processing Activities is therefore a key element in enabling you to meet this requirement.”
He added, “Creating a document detailing the basis upon which your organisation passes personal information between departments, group companies and 3rd parties is a crucial aspect of building trust with those who wish to engage with your organisation. Building a RoPA will take time and will need to involve each of your department heads and information asset owners, but the reward is a much better understanding of your processing and any associated risks.”
Click here to see the RoPA White Paper.