What to Know About RoPA Reports and Maintaining One
RoPA reports, short for record of processing activities and outlined in Article 30 of the GDPR, are one of the major requirements of the EU’s revolutionary data protection regulations. As such, these reports are one of the most important parts of any company’s privacy program.
What is a RoPA report?
Within the GDPR, RoPA reports are a mechanism to try and ensure organizations are handling user data responsibly.
Data controllers, or organizations and/or people who choose what data is processed as well as why and how it is processed must keep a RoPA report. Likewise, data processors, usually third parties that physically process data on behalf of the controllers, also must keep a RoPA report.
While the GDPR does not outline a set period of time or frequency in which RoPA reports must be made, a data protection authority can request them at any time. This way, the Ropa acts as a type of audit of data processing activities, so companies must always be ready to comply.
A RoPA report itself contains the following information:
- Names and contact details of those involved
- The purpose of data processing
- Categories of data subjects and personal data
- Who gets access to the data
- Any data transfers to other countries or organizations, and safeguards in place
- The estimated time before data is deleted
- A general outline of security measures used to protect your data
Who needs to do RoPA reports?
GDPR is currently the only comprehensive data protection law in the world that outlines RoPA (or equivalent) requirements.
Brazil’s data privacy law, the LGPD, states that companies have “an obligation” to keep up-to-date records of processing activities, but does not explicitly cover what constitutes a report nor what information would be in one.
Likewise, none of the current state-level data privacy laws in the United States have a strict requirement to maintain and be ready to hand over a record of processing activities when requested by a DPA, although California comes closest. The CPRA amendments to California’s law, the CCPA, notes that the newly-created CPPA authoritative body has the power to create RoPA-equivalent requirements in the future.
While this requirement is unique to GDPR, it is relevant to note that any organization processing the data of even a single EU citizen is technically required to comply with the GDPR.
The one caveat is smaller businesses with fewer than 250 employees are likely exempt from needing to maintain a RoPA (unless their data processing is frequent or involves sensitive data).
Although small businesses outside of Europe would likely never receive a request to check their RoPA, the necessity still falls on large and medium-sized international corporations, even those not headquartered in the EU. By default, if your organization has over 250 employees and you are unsure if you need to maintain a RoPA, you most definitely should.
Why are RoPA reports important for data protection?
RoPA reports act as a powerful check on data processing activities, which makes them an excellent tool for data protection. Simply the need to maintain these reports compels companies to do so and keep track of how they process and store user data.
This leads to increased transparency and accountability that is passed onto consumers. If you can see a company is handling your data responsibly, that’s a win-win situation for both you and the company. Your data isn’t mishandled and as a result, you’re more likely to do business with a company, benefiting them.
These increased risk management standards also benefit consumers, as they mitigate potential damage in worst case scenarios like data breaches.
Making your RoPA easier
There are industry best practices that make compiling and maintaining a RoPA a manageable task.
First off? Ensure leadership buys into a meaningful privacy program. If executives do not place an emphasis on both compliance and proper data management (an abundance of data is not necessary for data-driven decisions, after all), it will be incredibly difficult to get the resources necessary to compile a RoPA report.
Once you have the buy-in, compiling a comprehensive data map to discover as many data sources your organization is using as possible is key to generating a solid baseline for your RoPA.
Data mapping is a difficult task and one that traditionally does not uncover a vast majority of data systems, so you’ll need the right tool to help get a true data map that acts as a photograph of your company’s data landscape rather than a sketch drawn from memory.
How MineOS helps create your RoPA report
MineOS’s unique data mapping solution uncovers, on average, over 95% of data sources in an organization, getting companies far closer to full coverage than any other solution on the market. We do this by giving customers the flexibility to use multiple methods of continuous data discovery, including traditional ones like SSO and Cloud scans, but supplemented with our proprietary Email Navigator ability.
Our Email Navigator is the difference maker, as traditional data discovery methods like SSO and website scans typically uncover less than half of an organization's data systems. MineOS's secure email technology, which scans only email metadata to expand coverage from sub 50% to +90%, works continuously to ensure something that only a few years ago was impossible: a data map and list of data systems that is perpetually current and accurate.
Once you have a comprehensive data map in place after implementing our advanced data discovery and classification, MineOS’s AI determines processing activities based on predicted data types within a system. How do we know what data is within a system?
Our AI has been trained on privacy and legal policies, feature documentation, terms of service and additional documentation to know what type of data is where with overwhelming accuracy. Mine AI suggestions is like a cheat code that allows you to get a firm idea of what systems have sensitive data or might need full integration.
For data systems processing large amounts of data or sensitive data, once you verify Mine AI’s suggestions, you hit a single button inside the platform to create a baseline for your RoPA. This is all done automatically and without needing to spend weeks integrating and digging into systems, making RoPA reports faster and more accurate than ever.
MineOS helps change the tenor of RoPA reports, one of the most challenging parts of privacy professionals’ work. The right tools will help you achieve compliance with the GDPR and stay on top of company data flows without devoting massive resources to continually maintaining a RoPA.