Maintain a record of processing activities (or ROPA) as required by data protection law. See templates and examples to help you do it yourself or engage with an expert to do it for your organisation. Is the record of processing activities the same as a register of processing activities? Is a data inventory part of the record?

You create the record of processing activities by mapping activities. Is data flow mapping part of it?

Why is having documentation of your processing activities important?

How can you protect personal data or implement a privacy compliance programme if you don’t know what personal data you process and why, who your data subjects are, when you’re the controller, who your processors are etc. It is the foundation of any programme.

Who needs to maintain a record?

Only larger organisations or smaller ones that process lots of personal data. In the EU, an enterprise or an organisation employing fewer than 250 persons doesn’t need to unless:

  1. the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects,
  2. the processing is not occasional, or
  3. the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.

Other countries have similar exemptions although not always as extensive. For example, in SA organisations with fewer than 50 employees are exempt.

Outcomes you can achieve

The best way to achieve a ROPA

There is no one size fits all and it depends on your organisation. Most organisations will want to do it themselves and should do it themselves because people within your organisation are closet to your activities and therefore best placed to map your activities. We can guide you on how to make a success of doing it yourselves.

Alternatively, Michalsons can do it for you. It will obviously be more expensive but we’re here to help. If you want Michalsons to do it for you, it is very important to be clear on the scope of the exercise.

  • Are we going to map all the activities of your whole organisation? Or some identified high-risk activities? Or all activities in one department? Does it make sense to start with one?
  • How are we going to do it? Manually or are we going to use software? Can it be done online or do Michalsons need to be onsite?
  • How quickly do you need the exercise done?

Article 30 of the GDPR

Article 30 of the GDPR requires that “Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility”.

Section 17 of POPIA

There is a similar requirement in many other countries. For example, in South Africa section 17 of POPIA requires a responsible party (or body) to maintain the documentation (or record) of all processing operations (or activities or functions) under its responsibility as referred to in PAIA (section 14 or 51). PAIA requires every body to have a PAIA manual containing “a description of the subjects on which the body holds records and the categories of records held on each subject” and concerning POPIA:

  1. “the purpose of the processing;
  2. a description of the categories of data subjects and of the information or categories of information relating thereto;
  3. the recipients or categories of recipients to whom the personal information may be supplied;
  4. planned transborder flows of personal information; and
  5. a general description allowing a preliminary assessment of the suitability of the information security measures to be implemented by the responsible party to ensure the confidentiality, integrity and availability of the information which is to be processed.”

So an organisation’s PAIA manual needs to include a ROPA. Or an organisation needs to have a ROPA containing the list of things above.

What must the record of processing activities (ROPA) contain?

The GDPR requires the record to contain:

  • the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  • the purposes of the processing;
  • a description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data;
  • where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

POPIA requires similar things but is slightly different.

Does the record relate to all processing activities?

No, just activities that involve the processing of personal data. The tricky thing is that personal data is amongst all data and therefore almost all of the activities of an organisation involve the processing of some personal data.

Do I have to lodge the record with the authorities?

No, you only have to make it available on request. In South Africa, it must either be in your PAIA manual or incorporated by reference.

What form should it be in?

It must be in writing but can be in either physical or electronic form.