November 8, 2023
A data controller (or processor) under the EU’s General Data Protection Regulation (“GDPR”) has many obligations it must adhere to in order to best protect the personal data being processed. One such obligation is creating and maintaining a Record of Processing Activities (“RoPA”). This is a basic yet effective tool for exerting control over the processing of personal data that not only allows for easier audit and governance from the data protection authorities but also allows the business to more effectively manage its data processing activities. The RoPA is in essence similar to a system log for data processing which data controllers are obligated to maintain under Vietnam’s Personal Data Protection Decree – Decree 13/2023/ND-CP. This article aims to provide a quick overview of the RoPA under GDPR.
As the name implies, a RoPA is a record of personal data processing activities that an entity under GDPR must maintain for all processing activities under its responsibility. The RoPa must be made in writing, including electronic form.[1]
Each controller (or processor) and, where applicable, the controller’s representative (or the processor’s representative) shall maintain a record of processing activities under its responsibility.
For data controllers, GDPR requires the following information to be included in the RoPA[2]:
For data processors, GDPR requires the following information to be included in the RoPA[3]:
Yes, Article 30(5) provides certain circumstances where the obligations regarding RoPA as set out in Article 30 are not compulsory. Enterprises or organizations employing less than 250 persons shall be exempt from adhering to RoPA obligations, however, this exemption will not apply to the following processing activities:
As such, if any of the above-mentioned processing activities take place, the obligation to maintain a RoPA would be applicable. However, the RoPA would only be compulsory in respect of processing activities that are not exempted.
Example 1: Company A has 150 employees. Company A processes personal data for payroll administration for its employees and it also occasionally processes personal data of the employees to organize road trips. In this case, even though Company A has less than 250 employees, it must still maintain a RoPA for its payroll administration activity since this is a frequent processing activity. However, Company A may choose to not maintain a RoPA for road trip organization since this processing is only occasional and thus is exempt from RoPA obligations. |
First and foremost, a RoPA is a tool for compliance with GDPR. Article 30(4) states that the controller or the processor and, where applicable, the controller’s or the processor’s representative, shall make the record available to the supervisory authority on request. Failure to comply with the request from the supervisory authority could result in a violation of GDPR and a hefty fine.
Beyond compliance with GDPR, maintaining a RoPA could help your organization manage personal data more easily and optimize its operations in relation to personal data. With a properly maintained RoPA, your organization could conduct self-audits to ensure the organization is complying with data regulations and is operating smoothly.
There are also many other benefits to maintaining a RoPA. Your organization will be able to detect and delete unnecessary data to avoid legal risks by regularly reviewing the RoPA and identifying redundant data. The organization would also be able to fulfill data subjects’ requests much easier since the RoPA allows for better visualization and the classification of the data within the system. A RoPA would also allow bodies and individuals within the organization to more effectively cooperate and share data with each other in an orderly fashion.
In all, RoPA is much more than a simple compliance requirement. It is also a tool that all organizations processing personal data should employ in order to effectively manage personal data. A well-maintained, updated RoPA would be a great asset to the organization and a much-needed tool to optimize data management, especially in this day and age where data is becoming more and more valuable.
Data Mapping is a method of tracking data within an organization by keeping records of what data is being processed, where the data is being processed, and for what purpose. Data Mapping involves tracking, recording, and integrating various elements such as data migration, data warehousing, data transformation, etc. In essence, it is a centralized record that provides an overview of the flow and life cycle of the data. Even though data mapping is not mandatory under GDPR, it is a very good method for conducting data management and audit since it gives a clear and concise look at the processing of the data from beginning to end. This will help with both legal compliance and internal operations such as handling data subjects’ requests, identifying security risks, tracking data location, etc.
Putting Data Mapping and Ropa side-by-side, we can observe that RoPA is a rudimentary form and a sub-set of Data Mapping. While RoPa provides the essential information regarding data processing, Data Mapping links such information together to create a map of data flows and data lifecycle. In other words, RoPA is a part of Data Mapping. Data Mapping is not required under GDPR, however, maintaining a data map would be greatly beneficial to the organization and a well-maintained data map could help organizations to create a RoPA must faster with better efficiency and accuracy. Considering that a RoPA is already an obligation under GDPR, organizations should consider mapping their data as well for a comprehensive and efficient privacy program.
PrivacyCompliance provides solutions related to ensuring compliance with personal data regulations, assessing the impacts of personal data processing, drafting impact assessment dossiers, and cross-border data transfer dossiers.
PrivacyCompliance
#RoPA #DataMapping #GDPR #Obligations #Article30
[1] GDPR, Art 30.
[2] GDPR, Art 30(1).
[3] GDPR, Art 30(2).
Vietnam AI Handbook – Second Edition In January 2024, PrivacyCompliance published the first version of the AI Handbook which was received warmly by the AI community and the general public. Since then, there have been many developments in the AI scene around the world such as new AI applications, and new regulations, with the most […]
Learn more
Layered Notice – A Robust Demonstration Of Transparency One of the fundamental principles for Personal Data Controllers is the unwavering commitment to transparency vis-à-vis data subjects. In their pursuit to address this requirement, Controllers have opted to issue lengthy Privacy Notices, aiming for comprehensive disclosure to relevant data subjects. However, the question arises: Does this […]
Learn more
The First AI Handbook in Vietnam Dear Colleagues, Partners, and Friends, Mindful of the significant advancements in artificial intelligence (AI) in recent times, Privacy Compliance has undertaken a project aimed at updating our clientele, partners, and the general public on the prevailing state of AI globally and, more specifically, in Vietnam. With great pride, we […]
Learn more