Records of Processing Activities – DPC issues Welcome Guidance
Following a sweep of public and private sector organisations conducted in 2022, the Data Protection Commission has published guidance on records of processing activities.
Article 30 GDPR
Article 30 GDPR requires controllers and processors to keep records of their processing activities (“ROPAs”). Article 30(1) GDPR sets out the information that should be included in a controller’s ROPA and Article 30(2) GDPR sets out the information a processor should include in its ROPA in respect of a controller. While there are various tools available in the market to assist controllers in building and maintaining their ROPAs, there has been no market standard and only limited regulatory guidance on the topic. The Data Protection Commission’s (the “DPC”) guidance (the “Guidance”) is welcome therefore as it includes some examples of the information that should be included in a ROPA.
Small Organisation Exception
An organisation with fewer than 250 employees is not required to prepare a ROPA unless the processing the organisation carries out:
- is likely to result in a risk to the rights and freedoms of data subjects;
- is not occasional (e.g., HR and payroll); or
- includes special category data or personal data relating to criminal convictions and offences.
Availability to the DPC
Under Article 30(4) GDPR an organisation is required to provide a copy of its ROPA to the DPC on request. The Guidance notes that ten days for an organisation to provide a copy of its ROPA to the DPC should be sufficient notice “for any organisation in all circumstances.” The Guidance notes that the ROPA should be a standalone record that the DPC can request and view in a readable format. If an organisation is using software to record its ROPA, a report should be easily generated.
Dos and Don’ts
The Guidance contains a list of ROPA “Dos” and “Don’ts” for organisations:
|Break down the ROPA with reference to the different functions within the organisation
– ROPAs should be divided up and detailed according to the different business units / functions within an organisation. A data mapping exercise should be conducted which involves all relevant units across the organisation.
|Use the ROPA as a tool to demonstrate compliance with the accountability principle (applicable to controllers under Article 5(2) GDPR)
– ROPAs should contain granular and meaningful information and should specifically detail each category of data subject, category of personal data or processing activity. The Guidance notes that the ROPA should reflect the retention period for each specific category of personal data processed.
|Include relevant extra information as appropriate
– Additional information to that which is required to be included under Article 30 may be helpful to include (e.g., the Article 6 GDPR legal basis for processing and the Article 9 GDPR legal basis for the processing of special category data, as applicable). The DPC note that additional information should not replace information that is required under Article 30 and that additional information should be marked as a “helpful extra” in order to assist a business unit or employee inputting information into the ROPA.
|Gain buy-in across the organisation
– The controller as a whole is responsible for a ROPA and an organisation’s DPO should not hold sole responsibility.
– To assist with getting buy-in from the organisation, the DPC suggests several actions including setting specific ROPA review dates, including guidance and explanations in the ROPA for reference by members of the organisation who are not familiar with data protection issues, specifically setting out the process owners and including drop-down menus in the ROPA to ensure a uniform ROPA document is maintained.
|Maintain a living document
– The ROPA should be continuously updated to reflect the current position of the organisation’s processing of personal data.
The DPC recommends regular reviews of the ROPA, maintaining an electronic version of the ROPA to enable editing across the organisation, employee training so that business units are aware that new products or services that require processing of personal data should be added to the ROPA as they are rolled out and removing obsolete processing activities from the ROPA.
|(Don’t) Neglect to update the ROPA
– This echoes the recommendation of the DPC to maintain a living document. The Guidance states that if this is enforced by organisations, the ten day notice period to provide a ROPA to the DPC would be sufficient. The DPC note that a failure to comply could be considered as non-compliance with the GDPR.
|(Don’t) Cut corners with detail and granularity
– For example, in respect of the requirement to list technical and organisational security measures, a general description of what technical and organisational measures are in place should be included in the ROPA. It is not sufficient to state “appropriate security” or “measures are in place that ensure appropriate security”.
|(Don’t) Maintain a ROPA that is not self-explanatory
– To be fit for purpose the ROPA needs to be a complete, self-contained document clearly listing all information as required by Article 30.
|Avoid the following:
– Hyperlinking documents in the ROPA that are not accessible when clicked on;
– Using undefined acronyms that work for internal purposes but are unlikely to be understood externally;
– Referring or hyperlinking to several different documents or sources to satisfy the Article 30 requirements making it difficult to access the prescribed information set out in Article 30.
The Guidance contains examples of both well completed and insufficient ROPAs which will be helpful for organisations to understand the level of detail that the DPC expects.
- While many organisations have struggled to understand the level of detail required to be included in their ROPAs, the Guidance provides a useful checkpoint for controllers to assess their ROPAs against regulatory expectations.
- Whether ROPAs are maintained on a spreadsheet or using a more sophisticated compliance tool, the same standards will apply.
- It is the duty of the controller (and not just the DPO!) to evidence that the ROPAs are sufficiently detailed, accurate and up to date.
- Given that the DPC has noted its intention to regard the ROPA as a “go to” resource as part of other regulatory activities such as breach notification management, complaint handling, inquiries and investigations, it would be unwise to wait for an incident to arise to review the ROPAs.
- Conducting a ROPA review provides a valuable opportunity to re-assess compliance with core GDPR principles such as data minimisation, data security and storage limitation. In many cases, ROPAs may date back to GDPR preparation programmes in 2018. If so, use the opportunity to refresh them to reflect current processing activities and recent changes (e.g., remote working).
- While it can be intimidating to undertake a data inventory review, don’t let perfection be the enemy of good. A set of ROPAs that has been updated in 2023 to broadly reflect the guidance will reflect well on a controller if charged with evidencing their compliance under Article 5(2) GDPR.
The authors would like to thank Suzanne Flynn for her contribution to this briefing.