One of the measures imposed by Regulation (EU) 2016/679 of the European Parliament (General Data Protection Regulation – “the GDPR”) relates to the obligation for controllers and processors to keep a record of processing activities relating to personal data, known as "Register of processing activities” (RoPA).
More specifically, pursuant to article 30 of the GDPR, data controllers shall keep a record of processing activities under their responsibility and data processors shall maintain records of all categories of processing activities carried out on behalf of a controller.
Contrary to belief, the concept of the record of processing activities is not new as it was addressed in Directive 95/46/EC. However, this was rendered compulsory for controllers and processors with the introduction of the GDPR.
For the sake of contributing to a better understanding on the legislative framework, GDPR repealed the Data Protection Directive 95/46/EC which was introduced in 1995 and had to be transposed into the national laws of each Member State. Different interpretations of the Directive were applied by Member States. As a result, the application of national data protection laws to transpose the said directive across the EU countries was fragmented and inconsistent.
In contrast, the GDPR, being a Regulation, is legally binding throughout every Member State and aims to harmonize and implement a consistent legal framework across all the EU countries, leaving, at the same time, space for application of national laws as well. In this regard, opening clauses in the GDPR allow member states to go beyond the provisions of the Regulation and set their own rules in relation to specific matters and processes.
The purpose of maintaining a record of processing activities
The RoPA is a cornerstone for the GDPR implementation as it demonstrates compliance with the GDPR and the accountability principle.
The aim of the record of processing activities is to shed light on the data gathered through the processing activities taking place within an organisation and to convert same into information which would enable understanding by the organisation to hierarchize the processing risks from a GDPR point of view.
The implementation of the RoPA requires organizations to have a “data centric” approach in reviewing their data processing activities, retaining relevant records, taking actions to address any gaps and implementing all the organizational and corrective measures to address any risks to the rights and freedoms of natural persons arising from the processing of their personal data.
It is worth point out that the violation of article 30 of the GDPR may lead to a fine of €10,000,000 or, in the case of undertakings, 2% of their total worldwide annual turnover, whichever is higher.
It is important to note that the recording obligation with regards to the data processing activities under article 30 of the GDPR does not apply to organisations having fewer than 250 employees, unless the processing is non-occasional such as salary management; is of a high-risk nature such as video surveillance; or concerns sensitive data such as criminal behaviour or health information.
However, under the accountability principle, even for organization with fewer than 250 employees, it is a good practice for data controller and data processor to maintain the RoPA in order to demonstrate compliance with GDPR.
The RoPA must be updated on a regular basis according to any new or change in data processing. By its nature it is an internal and progressive document which must be used to fulfil the GDPR compliance and should be made available to the supervisory authority upon request.
New processing activities, should involve communication with key stakeholders to gather an oversight of the new processing of personal data which should then be properly documented in the record of processing activities.
- The RoPA will provide an overview of personal data processed within the organisation, the roles involved, insights on the risks and mitigation measures to be implemented;
- Having this document in place and up to date enables the organisation to respond more efficiently and precisely to a data subject request to access or erase data;
- It demonstrates compliance with GDPR and in particular with the accountability principle, even in case of any inspection carried out by relevant Authorities.
- It assists organisations in identifying whether personal data is actually needed for carrying out a specific process, for what purpose, legal ground and for how long the data must be retained.
- RoPA helps organizations to redefine and align the organization’s processes involving personal data, establishing clear roles and responsibilities, maintaining a good data governance and increasing control over data processing activities.
- The upkeep of new data processing activities and existing processing activities requires the concerted effort of different departments within an organisation to identify current processing activities, retention periods, legal basis and current technical and organisational measures.
- Whilst art. 30 of GDPR specifies the compulsory information which is to be included in the RoPA for each controller and for each processor, challenges arise when it comes to organizations of a large size located in multiple countries with different jurisdictions. Putting together the records of processing activities requires extensive effort from key business stakeholders and privacy professionals involved.
- Organization must put in place appropriate resource allocation, adequate methods for data discovery, human resources, records management, collaboration and integration with business processes.
- Identifying certain processing of personal data is time-consuming and might be overlooked by the departmental functions. For example, one might not realise that even processing of data that relates to legal entity’s representative appearing on invoices of suppliers is also covered by the GDPR and must also be recorded on the RoPA.
How can RSM help?
We have a diverse and experienced team that can assist you with meeting your GDPR obligations.
We address your requirements holistically taking into consideration technology tools, knowledge and resources. Our experienced team can help you in any of the following:
- Drafting, reviewing and updating the register of processing activities (RoPA) helping in carrying out a data mapping and a data inventory exercise;
- Drafting or reviewing the relevant data protection documents, policies or notices tailored to the nature and size of your business;
- Carrying out a GDPR Gap assessment to assist with the identification of risks and gaps in operational controls;
- An independent GPDR audit;
- Outsourced DPO services and/or DPO support services
- GDPR training.
Get in touch with Marion Borg Muscat (Lead Consultant, Advisory) today via email on [email protected] for more information.