Records of Processing Activities (ROPA)
Records of Processing Activities (ROPA)
One of the GDPR's requirements is to create and maintain a Record of Processing Activities (ROPA), which includes the purposes of processing personal data, the parties to whom you are disclosing the data, how long you will retain the data, and other details (see (opens in a new window)Article 30).
What is a Processing Activity?
Processing activities provide the business context as to why personal data is being processed. A processing activity inventory (ROPA) is a record of a business activity that involves the collection, storage, processing, and potential disclosure, sharing, or selling of personal information.
Why does a School or Unit need a Records of Processing Activities (ROPA)?
For UCD to have a ROPA is a legal requirement under GDPR as it is a key data protection tool.
Individuals have a right to privacy and organisations have a duty of care for the personal data of their employees, students etc. But to protect data, UCD, via the School or Unit, needs to know that it holds those data to begin with, and what it does with it.
This is where a record of processing activities can help. It captures the data inventory, data flows, external data processors, legal bases for processing, data access, data security measures and data retention periods. Where appropriate, it also links to relevant Data Protection Impact Assessments (DPIAs), and legally required data processing contracts.
The ROPA acts as the key GO TO document, and is a live document, which needs to be updated as the School or Unit’s data use and data protection needs change.
What level of detail should a ROPA have?
There is no prescribed level of detail for a ROPA. However, to make the management and recording of processing activities realistic, (opens in a new window)these processing activity examples, will give some idea of how to approach the development of a ROPA. The UCD portfolio of processing activities is not necessarily restricted to the examples provided, but they are likely to capture a substantial range of UCD processing activities.
Can a record of processing activities be useful for anything else?
Yes, a record of processing activities is useful for a range of things: for drawing up privacy notices; keeping an eye on how data flows through the organisation; tracking the time for how long personal data should be kept and why; understanding where the data is located and if the safeguards that are put in place are appropriate for the risks associated with the data; and importantly a ROPA helps, if a personal data breach happened, to inform breach responses.
Please contact the (opens in a new window)Office of the DPO, for further information on Records of Processing Activities and how to draft a ROPA.