How Accurate Is Your Record of Processing Activities (RoPA)? The First Step for Your Data Privacy Program, Explained
Article 30, on Processing Record keeping, is one of the most important GDPR obligations companies need to understand. Article 30 requires companies to keep a detailed record of all activities related to the processing of personal data, also known as a Record of Processing Activities (RoPA). While a RoPA is only required under GDPR, it is a fundamental exercise that all companies should follow when starting a data privacy program. Companies that lack a robust inventory of processing activities will have a much harder time demonstrating compliance under data privacy regulations.
Processing data comes with several compliance risks. The legal landscape is changing every year. Companies that do not monitor data processing on a systematic level are at a greater risk of violating data privacy laws. A RoPA can help companies conceptualize how data is being used, secured, and disclosed even where there is no legal obligation to compile a RoPA. A company that systematically monitors processing activities will be well equipped to demonstrate due diligence. The Company will also be able to identify which ongoing activities have to be altered to comply with new data privacy regulations. The more readily available information a company has about their processing activities, the more likely they are to succeed in the growing data economy. A comprehensive RoPA is essential to this success. Automation of this process is a first step that all companies should take to ensure they fully grasp the scope of their data processing activities.
Who must comply with Article 30?
As with other aspects of the GDPR, Article 30 provides for separate obligations depending on whether a regulated entity is a controller or a processor. Within the context of the GDPR, A controller is defined as any person or entity who determines the purpose and means of processing personal data. A processor is any person or entity which processes personal data on behalf of a controller. Under Article 30 the controller must produce a more detailed record than the processor since the controller determines the purpose and means of processing. Article 30 does not apply to all controllers and processors. Section 5 of Article 30 specifically exempts organizations that employ fewer than 250 persons, so long as the processing activities of the organization are (1) unlikely to result in a risk to the rights of data subjects, (2) irregular, and (3) do not include special categories of data referred to in Article 9(1) or data relating to criminal convictions and offenses listed in Article 10. Smaller organizations should carefully monitor their data processing activities to ensure they do not inadvertently violate Article 30.
When does Article 30 apply?
Record keeping obligations under Article 30 arise whenever there is a processing activity. For the purposes of the GDPR, “processing” is defined broadly to include any operation performed on personal data. While not exhaustive, the GDPR provides the following as examples of processing activities: collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction. As such Article 30’s record keeping requirements will apply to nearly every action taken with personal data.
What does Article 30 require?
Article 30 is broken down into 5 sections. The first two sections detail the recordkeeping obligations of the controller and processor respectively. Section 3 requires reports made under section 1 and 2 be made in writing with an electronic form. Section 4 requires regulated entities to make the Article 30 record available to EU supervisory authorities upon request. Section 5, as discussed above, exempts certain organizations from obligations under Article 30.
Section 1 requires controllers to maintain a record of processing activities under its responsibility. This record must contain the following seven categories:
- The name and contract details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- The purposes of the processing;
- A description of the categories of data subject and of the categories of personal data;
- The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
- Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and documentation of appropriate safeguards;
- Where possible, the envisaged time limits for erasure of the different categories of data;
- Where possible, a general description of the appropriate technical and organizational security measures
Similarly, section 2 requires processors maintain a record of all categories of processing activities. The processor’s recordkeeping obligations are similar to the controller’s obligations but generally less stringent, reflecting the controller’s greater responsibility over the means and purpose of processing activities. Section 2 only requires the processor’s record to contain the following four categories:
- The name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;
- The categories of processing carried out on behalf of each controller;
- Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, documentation of appropriate safeguards;
- Where possible, a general description of the appropriate technical and organizational security measures
Two requirements stand out because they are identical between both sections 1 and 2. Controllers and processors both must provide information where data transfers are trans-boundary. They also must provide a description of appropriate security measures used to protect processed data. In this way the RoPA provides an extra check to ensure that companies are compliant with the cyber security aspects of GDPR.
Are there comparable requirements to Article 30 in US data privacy laws?
Currently US data privacy laws have not directly adopted a provision comparable to Article 30. However, laws like CCPA require an entity retain records on consumer requests. The Federal Information Security Management Act (FISMA) contains a data retention requirement that directs government agencies to archive records on categories of data and certain processing activities.
Though US laws do not require Article 30-style reports, many US companies would benefit from implementing a similar monitoring system for data processing activities. Monitoring systems are a fundamental aspect of managing the compliance risks companies take on when compiling large data inventories. Meaningful implementation of a record of processing activities can even assist companies with compliance under US law. State laws in Virginia (CDPA) and California (CPRA) now require regular risk assessments for activities that involve data processing. By following Article 30’s RoPA requirements, companies will already have a system in place that helps generate information for these risk assessments. In this way, Article 30 can be a best practice for US companies even when they have no legal obligations under EU law.
How can Ardent Privacy solutions assist with Article 30 compliance?
As data sets increase exponentially,traditional record keeping methodologies will take an enormous amount of time and manpower to generate a complete and accurate RoPA. Ardent Privacy solutions provide Data Identification with machine learning and artificial intelligence that help businesses understand and monitor their entire data inventory in an efficient and practical way. Ardent solutions utilize a discovery approach like oil exploration, drilling down into a company’s data stores to map personal data-based prioritization. Unique features such as Auto-tags, Sensitivity Index can be used to identify risks associated with your business’ data inventory. Today Article 30 reports are based on interviews and surveys which are prone to errors and do not fully represent the realistic data stored by the enterprise which can lead to noncompliance. Ardent solutions automate this process to provide a record of processing activities that reflects current data processing practices. This reduces the time and manpower dedicated to Article 30 compliance and provides more accurate reporting. It also allows businesses to take the first step in understanding what data can be minimized to reduce compliance risks.
Conclusion
Good internal record keeping under Article 30, while burdensome, can ultimately help companies comply with other aspects of data privacy regulation. This is particularly true for GDPR, though many companies will still benefit from monitoring data processing even when they are not subject to EU law. At Ardent Privacy we believe that Data Identification is of the utmost importance regardless of jurisdiction. We are developing technology that harnesses the power of artificial intelligence to stay ahead of changes in data privacy compliance. Our privacy by design solutions aim to educate businesses on their ongoing processing activities and promote data minimization, reducing the risks associated with unwieldy and unmonitored data inventories.
About Ardent Privacy
Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.
For more information visit https://ardentprivacy.ai/and for more resources here.
Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.