March 29, 2024

Do I Need a RoPA (Record of Processing Activities)?


GDPR regulations in the UK and the EU stipulate that organisations have a legal requirement to document their processing activities. This article covers the basics of a RoPA and why you must always make sure your organisation has one.

This article is brought to you by the Legal Nodes privacy team. Legal Nodes is a legal platform for tech companies operating globally. We help startups establish and maintain legal structures in 20+ countries, including assisting with their privacy compliance obligations across the globe.

Please note: none of this information should be considered as legal, tax, or investment advice. Whilst we’ve done our best to make sure this information is accurate at the time of publishing, laws and practices may change.

What is a RoPA?

Records of Processing Activities (RoPA) are documents that collect data on what information you hold in your business, where you hold it, and what you do with it. For example, a business that collects personal information needs have clear records about where they store that information, what they do with it, and what exactly they have (names, email addresses, information on sexual orientation or sexual identity are also personal pieces of data that need to be handled with care).

These records will also assist with creating governance procedures and complying with data protection laws (all personal data must be stored securely by the organisation that holds it).

Who checks if I have a RoPA?

In the UK, the Information Commissioner's Office (the ICO) may ask to view your organisation’s records of processing activities. The ICO is an independent body in the UK, whose purpose is to “protect information rights”. Essentially, this organisation works to ensure that individuals’ data is being handled correctly, collected and processed appropriately, and that data rights are actively being protected by the organisations that interact with individuals’ data. 

In the EU, laws pertaining to the records of processing activities are set out under Article 30 of EU GDPR. GDPR stands for General Data Protection Regulation.

The European Data Protection Board (EDPB) is the European independent body that protects the data rights of individuals in Europe. The EDPB is established via the EU GDPR laws, and is based in Brussels.

The ICO and EDPB don’t simply enter company buildings to look for a big book of records that says an organisation is processing data the right way. Instead there are a series of signs that they can look for to initially check if the organisation is taking active steps to protect individuals’ data. They can do this by simply looking for evidence of a privacy notice, which should detail the way the organisation plans to keep data secure.

They can also assess what kinds of data the organisation seemingly collects and consider that data collection against the nature and purpose of the organisation, asking questions like “is there a valid lawful basis for this organisation to be collecting data of this nature?”.  Questions like these should also be asked by each organisation; does an organisation selling cars need to know an individual’s details pertaining to their sexual health? Probably not. But the organisation may see it as important to collect data on sexual identity to ensure that they address their customers with the correct pronouns and titles. It is up to the organisation to justify their choices of which data they collect.

💡 Worth checking: how children’s data in AI apps can be processed compliantly

How can organisations make sure they have the correct RoPA in place?

First, you must start with some data mapping.

The ICO states clearly that:

“Your organisation has a formal, documented, comprehensive and accurate ROPA based on a data mapping exercise that is reviewed regularly.” 

In practice this means:

You run an information audit or data mapping exercise on your organisation

Your business or organisation carries out data mapping exercises which allow you to check across your entire organisation and see what personal data is held, where it is held, and how your organisation uses it. This data mapping is presented in an information audit and might show that you collect personal data via your website, which is then used by the marketing and sales team and also passed onto customer service teams. Your audit will help identify any vulnerabilities that your data may experience; for example, are there other departments that can access this personal information and who simply don’t need to? 

You actively make sure your data map stays up to date

This means assigning responsibilities to staff members to keep those records organised and who run checks to ensure that data is only accessible to those who need to see it and is also being stored in the required methods to meet RoPA requirements. The staff responsible for keeping the data map up to date should also proactively work to improve it should more or different types of data start to flow through the business.

You check in with staff to see if they understand RoPA requirements

Staff don’t need to know all of the organisation’s procedures and policies, but they must be aware of how they should handle data that passes through their hands. Start by consulting—asking—your staff about their data handling practices. Using surveys and questionnaires, you’ll soon understand who is handling what data, and whether or not healthy and safe data management practices are being utilised or adhered to. 

💡 Worth checking: explore global AI frameworks and learn about AI risk assessments for businesses

Key questions to ask when undertaking your data mapping exercises include:

  • Would staff know of and understand the procedures in place that help them to identify the different locations where personal data is held and used in their company?
  • Would an individual staff member be able to explain their duties and responsibilities pertaining to personal data policies?
  • Would the actions undertaken by staff reflect those recorded or prescribed in the record of processing activities?

Now that your data mapping for your organisation is established, we can move onto ensuring an effective RoPA is in place.

How to make sure your RoPA is effective

The ICO states

“Your organisation has a formal, documented, comprehensive and accurate ROPA based on a data mapping exercise that is reviewed regularly.”

Ensure your RoPA is in electronic format

Electronic data is much easier to manage and to store securely. Software can also come with security features that protect data from being intentionally or accidentally accessed by unauthorised staff.

Your RoPA is an active document

Your RoPA isn’t designed to be a file that is archived and only touched upon once a year. Instead, your organisation should have procedures in place that promote regular re-evaluation of RoPA documentation and also encourage reflection on the processing activities, policies, and procedures in the organisation. You should also have assigned individuals in your organisation with clear tasks and responsibilities, so that it is actively worked upon and reviewed, and not forgotten or deprioritized. 

Your RoPA reflects current practices

If previous RoPAs for your organisation only covered certain types of data and activities, and your organisation has since expanded and now processes more, different types of data, then your records must reflect that. Old, outdated RoPAs are not sufficient – your RoPA must always cover all data handling activities and processes no matter how seemingly obvious, insignificant, or small the data pool may be.

💡 Worth checking: The Ultimate Privacy Compliance Guide

Key questions to ask about your RoPA procedures:

  • Would staff describe your processes as effective? Would they be able to point out where data is stored and how it is processed? Would they be able to demonstrate how data is minimised, for example, through correct practices that prevent data from being duplicated and stored in multiple locations?
  • Would staff be able to outline their responsibilities both in concept and in practice? Would they be able to confidently demonstrate that the RoPA reflects their practice of data activities and processing?

📚 Learn more: what is a DPO (Data Protection Officer)?

What needs to go into a ROPA?

For UK organisations, the requirements are set out in Article 30 of the UK GDPR. For EU organisations, the requirements are set out in Article 30 of the EU GDPR and Recital 82. As the laws are very similar, the following list is applicable to both. Your RoPA must include:

  • The name of the organisation
  • The contact of the organisation
  • Additionally, the name and contact details of the controller’s representative, the DPO, and the joint controller may also be referenced
  • Details on the purposes of the processing
  • Descriptions of different categories of data, including the categories of individuals and of the different types of personal data that the organisation is collecting
  • An outline of the categories of recipients of this personal data
  • Information pertaining to the transfer of personal data to third countries. This information should include safeguarding procedures in place for the purpose of safe transfer of the data
  • Data retention schedules
  • Details of security measures in place - including technical security measures and organisational security measures

Your RoPA should also contain some kind of internal record of all the different processing activities that are carried out by anyone else acting on behalf of the organisation. The actions of these “processors” should always be recorded and the reasons for their handling of data should be legally valid.

📚 Read more: Learn the difference between a DPO and an AI Ethics Officer

Types of documents in RoPAs

The RoPA should contain documentation or clearly set out links to relevant documentation.

  • Privacy notices and—if not made clear in the privacy notice itself already—explanations as to the lawful basis for collection, processing and storing of personal data and, additionally, the source of the personal data
  • Contracts pertaining to controller-processor agreements
  • Policy documents on data retention and data erasure
  • Records of consent
  • Records of any personal data breaches of any kind 
  • Storage location of the personal data
  • DPIA and LIA reports
  • Details on procedures for processing special category data or criminal conviction and offence data (according to the Data Protection Act 2018 (DPA 2018) in the UK)

📚 Discover more: GDPR compliance guide for fintech companies

Prevent privacy breaches with the right privacy protection

At Legal Nodes, our specialists have worked with startups from all sectors, helping them to put in place the correct privacy procedures that ensure data protection measures are adhered to and individuals’ data is protected. Find out more about our GDPR packages and book a consultation with a privacy expert to assess the privacy needs of your organisation.

Explore popular resources