What is the RoPA and how Data Discovery helps form it

by Nick Evans | May 20, 2022 | Articles

Do you know about the RoPA (Record of an Organisations Processing Activities)? Many businesses do not and are now working to build theirs. Today we will look at what the RoPA is, how it helps a business manage and improve its data protection efforts and how data discovery projects really help create a solid RoPA.

What is a RoPA?

The RoPA  is a legal requirement that businesses must follow and embrace as part of their Data Protection processes. The RoPA enables businesses to take stock of what information they store, where it is and what is being done with it, making it easier for a business to manage and improve its information governance, whilst complying with the local data regulations it must adhere to.

As businesses become more aware of their Data Protection processes, they will very likely be faced with creating a RoPA and under Article 30 of the GDPR or Schedule 1 of the Data Protection Act 2018, businesses now must document the processing activities they undertake.

What information should a RoPA contain?

The ICO (The Information Commissioners Office) state that the following details must be captured and tracked in the RoPA –

  • Purpose of processing
  • The name and contact details of joint controller (if applicable)
  • Categories of individuals
  • Categories of personal data
  • Categories of recipients
  • Names of third countries or international organisations that personal data are transferred to (if applicable)
  • Safeguards for exceptional transfers of personal data to third countries or international organisations (if applicable)
  • Data Protection Act 2018 Schedule 1 Condition for processing
  • GDPR Article 6 lawful basis for processing
  • Link to retention and erasure policy document (Is personal data retained and erased in accordance with the policy document?)
  • Reasons for not adhering to policy document (if applicable)
  • Categories of data subjects, and personal data in scope for this business process
  • Name of the business process. This could include, for example, interviewing candidates, onboarding an employee, or online customer registration
  • Transfers to third party countries or other third-party international companies
  • General description of technical and organisational security measures (if possible)

To help, The ICO have also created a RoPA template for businesses to start building their RoPA around, you can find it here.

Data Everywhere

But how do you know what data you are working with without analysing what data is being stored across all the solutions that are being used to run the business?

We find a lot of businesses building their RoPA by guessing what data they are working with. By using a Data Discovery solution, a company can scan all data stored in their digital estate and really understand, at a granular level, what data is being held.

Today, especially since Covid-19 has made more businesses embrace the “work from home” culture, more solutions than ever are being used to run day to day activities and that usually means that businesses now have data “Silos” (Many different data storage solutions, sometimes storing the same data in lots of different places), but when it comes to data, most businesses generally are not technical minded, with many not having an IT team to delve into the process of understanding their data. This means that many businesses are only aware of the various front end apps that they interact with (CRMs (i.e., Salesforce/Zoho/Pipedrive) HR Tools (i.e., BambooHR/CIPHR/Sage) & Marketing Suites (i.e., monday.com/Mailchimp/HubSpot)) and more often than not, they do not have any knowledge of the backend systems (database management systems (DBMSs), messaging systems (i.e., Lotus Notes and Microsoft Exchange), gateways to legacy systems such as IBM hosts, and network management systems) or the data within them.

Data Discovery and the RoPA

Utilizing Data Discovery tools will inform a business about what data elements are in which systems; thus, you can verify whether the existing RoPA is valid, or not, and help guide a business whilst it builds its new RoPA.

Another key benefit of understanding the sensitive data being stored is how that knowledge highlights areas in the business that the IT security can better protect stored sensitive data and these types of investigations often lead to a company kicking off a data minimization project – another area where data discovery can help (Data Discovery can tell you where the same data is stored). If the business is unable to map a purpose of use for a particular data set an internal conversation to discuss whether the data is being managed correctly should take place.

Additionally, Data Discovery tools can also assist with any Privacy Impact Assessment (PIA) or Data Protection Impact Assessments (DPIA) by giving key details around stored data and allowing a business to fully understand exactly what all types of data elements its working with.

To understand how GeoLang Data Discovery can help your business understand what data its working with and where it is being stored, contact us at [email protected] or download and setup our free 30 day trial here – https://geolang.com/free-trial/

Understanding your data provides limitless value and endless possibilities for any business.