In this article, we will describe what a record of processing is, why you need to have it, i.e. the purpose for a record of processing, what it should contain and how to create a record of processing.
A record of processing activities is often called RoPA or GDPR ropa. So if you hear people say “Do you have a ropa?”, they are asking for your record of processing.
It is also often referred to as your "article 30” or “article 30 record”.
So let's jump into what a record of processing is.
A record of processing is an overview of your data processing activities. That means that you should have a document that outlines all the data your company has, the legal basis, the purpose for having it etc.
This is legally required pursuant to the GDPR, cf. article 30 of GDPR.
It’s important to note that a record of processing is related to personal data. I.e. you shouldn’t list all data that your company has on file. You need - and should - focus on all data that is personal data.
Remember that personal data is more than just a name and an email. You can read about what personal data is in this article.
GDPR article 30 outlines that you are required to maintain a record of processing activities relating to the data under your responsibilities.
It is the controller who is responsible for having the recording of processing in place. The controller means the company or organization in charge of the processing activities and the data.
So it’s your company’s responsibility to maintain such records and have it on file (and up to date at all times). That’s easier said than done.
The purpose of a record of processing is for each company to have an overview of all personal data that is processed by that company as the data controller.
The thought behind the requirement is to ensure that all companies know what data they have, why they have it, what legal basis they have in place to process the data, who the data is shared with etc.
This means that an article 30 record is putting an obligation on all companies processing data about EU citizens to have such a record / document.
Overall, a record of processing should be a description of all the data processing activities that are taking place in your company.
Here is a summary of some of the elements a RoPA should have:
Your record of processing activities should contain information like the following:
Data protection authorities around Europe have good templates and guides for a record of processing activities.
The Danish Data Protection Agency has issued guidelines regarding how to draft a record of processing. Check out the guidelines (in Danish).
CNIL, the French Data Protection Agency also has guidance and they have also created a template for record of processing activities. You can find here: https://www.cnil.fr/en/record-processing-activities
The ICO, in the UK, also has good articles on how to document the record of processing activities. Read the ICO article, where you can also find ICO’s template for a record of processing activities.
If you would like a tool or software to help you with the record of processing, you are welcome to contact us.
We’ll be happy to show you how we can automate the majority of all the work related to creating and maintaining a record of processing activities.