1. How do you compile the ROPA?
Initially we will ask the organisation (dependant on size) to nominate a data champion in each business area who understands all of the processing in their department. This is normally the manager of the department, but not always.
We hold a 2-hour training session with the data champions to ensure they understand the basics of the ROPA (as this is a living document) and to ensure they understand the basics of GDPR.
Our business analyst will then sit down with each data champion and ask specific questions. This will help us to understand the business processes involving personal data in each business area and how the data flows.
Our Business Analyst will complete a full ROPA for all of the organisation’s business processing, as per Article 30 of the GDPR.
2. What does the ROPA contain?
- The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the data protection officer
- Purposes of the processing
- Lawful basis for processing
- A description of the categories of data subjects, and of the categories of personal data
- The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations
- If applicable, transfers of personal data to a third country or an international organisation, including the identification of that country or international organisation
- Where possible, the envisaged time limits for erasure of the different categories of data
- Where possible, a general description of the technical and organisational security measures
- The level of risk to the organisation for each specific business process
- Highlight if a Data Protection Impact Assessment is required
- Highlight if a Legitimate Interest Assessment is required to be completed
3. Will you highlight where work is required?
We will complete the risk plan and report, detailing where the organisation may be exposed. This will highlight any action plans that may need to commence to reduce the risks. For example, highlighting where there is no Data Protection Impact Assessment in place, where there is no Legitimate Interest Assessment in place, or where security safeguards are not in place, and suggesting solutions.
4. Do we need a ROPA?
Documenting your processing of personal data is a new requirement under the GDPR. It is mainly about keeping internal records of your processing activities. It reflects the increased importance of accountability and your obligation to ensure (and demonstrate) that what you do with people’s personal data is in line with the GDPR. Article 30 sets out the different types of information you need to document including the purposes of processing, categories of personal data and recipients of personal data. Click here For further information.
5. What does the GDPR say about documentation?
The ICO advise that ‘The accountability principle requires you to demonstrate that your organisation processes personal data in line with the GDPR. To help you do this, you can implement several technical and organisational measures. One such measure is contained in Article 30, which says that an organisation shall:
‘…maintain a record of processing activities under its responsibility.’
There are several specified areas where records must be maintained, such as the purposes of processing personal data, data sharing and retention. This is what we mean by documentation.’
6. Why is it important?
The ICO advises that ‘Documenting your processing activities is important for several reasons. First, it is a legal requirement. Although you do not need to proactively provide these records to the ICO, you may have to make the information available on request, such as for an investigation. As a key element of the accountability principle, documenting your processing activities can also help you to ensure (and demonstrate) your compliance with other aspects of the GDPR. For instance, it can help you with the following things:
- Drafting your privacy notice– much of the information you have to document is very similar to what you need to tell people in your privacy notice.
- Responding to access requests– knowing what personal data is held and where it is will help you to efficiently handle requests from individuals for access to their information.
- Taking stock of your processing activities– this will make it much easier for you to address other matters under the GDPR such as ensuring that the personal data you hold is relevant, up to date and secure.
However, it’s not just about legal compliance with the GDPR; documentation will also help you do the following:
- Improve data governance– highlighting and addressing data protection matters through documentation will support good practice in data governance. This can give you assurance as to data quality, completeness and provenance.
- Increase business efficiency– knowing what personal data you hold, why you hold it and for how long, will help you to develop more effective and streamlined business processes.’
7. Why should we use DPAS and not do it ourselves?
DPAS has completed many information audits and created ROPAs for a wide variety of organisations including:
- Local Authorities
- Sports Clubs
As we have the experience within the above industries, we often know the majority of the business processes involved where personal data is contained. We have many templates from a variety of industries meaning we can complete your ROPA quickly and efficiently, costing you less money.
8. How do you price your ROPA projects?
Unlike a lot of consultancies, DPAS offers our customers a fixed cost for a project. That way, the organisation can budget for what is required. If it takes us longer, it doesn’t cost you anymore.