In 2018, the EU adopted the General Data Protection Regulation (GDPR), opening the door to other privacy laws around the world and ushering in a host of new business acronyms. One of those acronyms – ROPA or Record of Processing Activities – is a fundamental requirement of the law and is emerging as a baseline requirement in some new privacy regulations, such as the California Privacy Rights Act, which will take effect at the beginning of 2023.

But while the concept of a ROPA is universal, the actual requirements of a ROPA can be different depending on the regulatory authority. With more states and countries implementing and considering privacy laws, the use of a universal ROPA will streamline the reporting process for covered businesses, and provide confidence to regulators that they’re collecting complete and relevant information.

What is a ROPA?

Simply stated, the Record of Processing Activity is a list of the personal data that a business possesses, how the data is used, where it is transferred, how long it is retained, and how it is protected. Under the EU’s GDPR, as well as other privacy laws, a record is required for all data that is processed, and those records form the Record of Processing Activity. This requirement applies to companies with 250 or more employees, as well as some smaller companies that regularly process data. With a ROPA, regulators can see how a company is treating the data of users.

The requirement to maintain ROPAs applies to both Controllers and Processors. A Controller typically is a company that collects and “owns” the data. A Processor is a company with which the Company may have a contractual relationship to use the data, such as to deliver advertising or marketing messages.

At a minimum, the ROPA must include:

• The business name and contact
• The purpose of the data the company is processing
• A description of the categories of individuals and of personal data
• The categories of recipients of personal data
• Details of transfers to third countries, including a record of the transfer mechanism safeguards in place
• Data retention schedules
• A description of the technical and organizational security measures in place

In addition, if a business is transferring data to a Processor, the business should maintain an internal record of those processing activities.

Why you need to build and maintain ROPAs

If your company has customers in the EU, it’s a legal requirement under GDPR to maintain Records of Processing Activity. In addition, other privacy laws around the world require some type of data mapping or ROPA for compliance, and U.S. companies doing business in California will be required to maintain these records under the soon-to-be-effective CPRA. Under EU law, failure to comply with this regulation can result in fines as high as €10 million or 2% of annual revenues.

But there are other benefits for a company to maintain ROPAs. At a broader level, the development of these Records can serve as a risk management or internal control tool. Populating a ROPA is a smart way for a company to understand how data is processed within its organization, and to evaluate whether the data is necessary to retain and if it’s adequately protected.

In addition, if a company experiences a data intrusion or theft, an up-to-date ROPA will enable it to identify and isolate the affected data.

How to create a ROPA

As with any type of record-keeping, there are two primary methods: manual and automated. Many companies are still creating and maintaining their Records using a spreadsheet. The advantage to this method is that staff might be familiar and comfortable with the process. The risks, however, may outweigh this benefit. Manual spreadsheets are subject to input errors, and they require a significant investment of time to keep them accurate and up-to-date. Whenever a company adopts a new process that affects its data, the ROPA must be updated to comply with regulations.

An automated process, on the other hand, can map a company's data, services, and vendors automatically, eliminating potentially hundreds or thousands of hours of manual labor as well as the potential for massive errors. Automation typically will use machine learning (ML) or artificial intelligence (AI) to learn how your data is processed and when changes occur, and automate the updates to the ROPA. In addition, an automated process can easily accommodate changing privacy regulations across the various regulatory jurisdictions.

In both cases, the process typically begins with a data-mapping exercise, determining the data held by the company and its location. Some businesses poll the functional areas of a company to assess the data collected, as well as the current processes that track how the data is used and shared. The IT or security teams then can add details about how the incoming and outgoing data are protected. A review of existing privacy policies and third-party contracts then can verify whether processes and policies are aligned, and whether any changes are required.

Once created, the ROPA should be a living document that is updated regularly. When a company updates its ROPAs, it also should review its privacy policies to ensure the Records and policies are in alignment.

The case for a Universal ROPA

More than 125 jurisdictions globally have some type of data privacy law, with the number steadily growing. In the U.S., five states have enacted a data privacy law, and movement is proceeding through the legislative branch on some type of federal privacy law. While many of these laws require a Record of Processing Activity, there is no single template, creating significant compliance issues for businesses in every segment in every country. Even member states of the EU – which first required the ROPA – have different guidance templates.

A universal ROPA will rationalize the information required by the different jurisdictions, streamlining compliance by covered businesses and enabling knowledge sharing by the regulating authorities. The use of a universal template will save thousands of hours in the creation, maintenance and governance of the individual Records, enabling companies to build strong data management practices across the enterprise.

With a well-researched universal template that takes into account requirements mandated by existing regulations - and populated through a highly accurate automated process - the ROPA can become a valuable tool for companies and regulating authorities, moving from a record to a key repository that meets compliance obligations while providing a company with greater insight and control over a key asset.

Using Relyance to create a Universal ROPA

As outlined above, creating a ROPA is a two step process: creating a data inventory and map and then inputting the relevant data into a regulator-ready document. Both of these activities are historically very labor-intensive and error-prone manual processes, but Relyance automates both of these steps. First, our Live Data Inventory and Map tracks and displays all data flows between the Relyance customer and its services and vendors, and automatically stays up to date. Second, Relyance’s ROPA module extracts and auto-populates the relevant information.

Relyance has studied the ROPA templates and guidance published by all EU member nations, the United Kingdom, and Brazil to synthesize the regulatory requirements. Using a combination of contract and code analysis, and machine learning, Relyance can prepopulate many of the ROPA fields, eliminating hours of tedious work and allowing privacy professionals more time to focus on strategic tasks. Want to learn more? Book a demo with us, or contact us here.

‍