RoPA: Why does everything start with a data flow map under GDPR?

RoPA (Record of Processing Activities) is a key element of working with personal data. The chart is required by both European and British GDPR. RoPA is a reporting document for regulatory authorities, and any significant changes in business processes must be regularly reflected in the chart. In this article, we will look at who needs RoPA, how to create it, and how to optimize the process of filling it out.

Which companies need to maintain RoPA?

The GDPR requires all companies to keep records where:

• they have more than 250 employees; or
• processing may result in a risk to the rights and freedoms of data subjects; or
• processing is not incidental (not accidental); or
• sensitive personal data is processed.

In practice, at least one of these grounds is required to determine the obligation. Sometimes organizations with fewer than 250 employees are still required to maintain a RoPA. In such situations, each non-incidental type of processing, large-scale processing, or potential risks to the rights of data subjects are assessed depending on the specifics of the organization, its field of activity, as well as local laws of EU member states, which may establish more stringent requirements for the definition of sensitive data or the maintenance of a RoPA.

What does a data flow map consist of?

According to Article 30 of the GDPR, the RoPA must contain at least the following information:

• the name and contact details of the organization, as well as the contact details of the organization’s representative and DPO, if available;
• the purposes of the processing;
• a description of the categories of personal data of individuals processed by the organization;
• categories of recipients of personal data, i.e., a list of internal departments or employees or external contractors who will have access to the data;
• details of data transfers to third countries, including existing safeguards;
• schedules (plans or timetables) for data deletion.

The British regulator, the ICO, has published a list of best practices for completing the RoPA. Although the UK is not part of the EU, the local GDPR is very similar in content to the European one, and the British regulator produces very useful visual and textual compilations to interpret the law. The ICO recommends directly indicating in the RoPA or adding hyperlinks to the following information:

• a processing notice stating the grounds for processing and the sources of data collection;
• confirmation of consent by the data subject;
• processing of special categories of data;
• data storage locations;
• data deletion and destruction policies;
• data protection impact assessment (DPIA) reports.

RoPA life cycle

The process of creating a RoPA is step-by-step, and the more complex the company’s structure, the more time the preparatory processes, i.e., auditing all data flows, may take.

1. It is necessary to identify what data the company processes. (!) Remember that processing means any action involving data, including collection, disclosure by sending, copying, storing, backing up, or encrypting.
2. Next, you need to map the processes: determine where, in what volume, and in what way data is transferred between employees or teams.
3. Later, and sometimes in parallel, you can work on the environment itself and group data by category.
4. Finally, you need to update the data from time to time, especially if the company changes or introduces new processes, renegotiates contracts with suppliers or contractors, or significantly changes its organizational structure.

The principle of a small amount of effort yielding huge results later is not always effective, but with RoPA, it can be rephrased as follows: complete data preparation and structuring at the beginning is 80% of the work with RoPA. The remaining 20% is just data supplementation and map optimization.

Who checks RoPA?

If your company has appointed a DPO (Data Protection Officer), they will be responsible for the consistency and integrity of RoPA completion internally, i.e. within the company. Externally, the DPO will act as the contact person between the regulatory authority and your organization, and the regulatory authority may then check and impose fines for non-compliance with RoPA.

Read more about the responsibilities of the DPO and the DPO’s relationship with companies in our article.

Q&A about RoPA

• Is there a specific mandatory form for a data flow chart?

○ No. The form can be arbitrary. You can choose a special service, an adapted CRM system, a template offered by the regulator or your DPO, or even keep records in Microsoft or Google tools. The main thing is that the document contains all the necessary information. By the way, here are the templates offered by the ICO for controllers and processors. And here is a template offered by the French regulator CNIL.

• Where is the best place to store RoPA?

○ We would recommend using cloud services, but the GDPR does not exclude the use of conventional electronic media.

• Which company employees can have access to the map?

○ It is important that the persons responsible for completing the RoPA have access to it. Company management should understand the processes involved in data processing, but access should be limited to those who will work directly with the map.

• How to determine the effectiveness of the RoPA?

○ First of all, the RoPA should reflect current processes and be systematic. For example, the Irish regulator recommends dividing categories into parts according to different functions within the organization, such as HR, finance, or marketing; reflecting information sequentially based on the life cycle of processes; and adding more contextual information, even if it is not explicitly required.

• How often should the RoPA be updated?

○ There is no common rule for companies, but it all depends on the dynamics of your business processes. For example, changes in data collection (processing) methods, the launch of a new product or service, the introduction of new technological solutions that will enable the company to collect more data or use AI, or entering new markets are clear indicators for updating the RoPA.

Having a RoPA is not a panacea; rather, it is a starting point for GDPR compliance. Describing processes can help company management “highlight” vulnerabilities and then prioritize not only privacy measures but also other operational processes. This will allow you to manage risks much more effectively and not fear regulatory audits.