The General Data Protection Regulation (GDPR) is a comprehensive data protection regulation implemented in the European Union (EU) in May 2018. It aims to protect the personal data of EU citizens and residents and ensure that businesses and organisations are held accountable for the way they collect, process, and store this data. It sets out strict requirements for data protection and privacy, and failure to comply can result in significant fines and other penalties – up to €20 million, or up to 4% of the annual global turnover of the preceding fiscal year, whichever is higher – a valid reason to check your data processing practices.

One of the key requirements of the GDPR is to keep records of processing activities (RoPA). In this article, we will explain what records of processing activities are, why they are essential, and what you should do to comply with this requirement.

What is a records of processing activities and do I need one?

Records of processing activities are documents that provide an overview of how personal data is processed within an organisation. They must include information on the types of personal data processed, the purposes for which the data is processed, and the measures taken to ensure the security of the data.

Under the GDPR, both data controllers and data processors are required to maintain records of data processing activities. If your organisations has less than 250 employees, this requirement may not apply to you if your data processing:

  • is occasional;
  • is not likely to result in a risk to the rights and freedoms of data subjects;
  • does not include special categories of data, such as racial, ethnic, or health information, or data relating to criminal convictions and offences.

In practice, however, this exemption is unlikely to apply, as most organisations process personal data regularly (not occasionally), for instance, through salary management, CRM systems usage, or via their websites.

Therefore, it is important that organisations update their records of processing activities regularly and reflect changes in their data processing activities in these records. Companies must make such records available to supervisory authorities if requested.

Why are records of processing activities so important?

Records of processing activities are important for several reasons.

First, they demonstrate compliance with the GDPR. If an organisation cannot provide records of processing activities upon request, it may be subject to fines and other penalties.

Second, they help organisations identify and mitigate potential data protection risks. By clearly understanding how personal data is processed within the organisation, businesses can identify gaps and take steps to improve their data protection practices.

Finally, records of processing activities can help build trust with customers and other stakeholders. By demonstrating a commitment to data protection and transparency, companies can establish themselves as trusted partners and avoid damaging data breaches.

Creating a checklist for records of processing activities

Creating a checklist can help ensure that all necessary information is included in the records of processing activities. Here is a basic checklist to get you started:

  • Identify the personal data that your organisation processes.
  • Document the purposes for which the data is processed.
  • Identify the legal basis for processing the data.
  • Document the categories of data subjects and personal data processed.
  • Document the categories of recipients to whom the personal data may be disclosed.
  • Document any transfers of personal data to third countries or international organisations.
  • Establish retention periods for different categories of personal data.
  • Document the technical and organisational security measures in place to protect the data.
  • Review and update records of processing activities regularly to ensure ongoing compliance.

What should be included in records of processing activities?

Although data controllers and processors are required to keep records of processing activities, the GDPR provides a different scope of information that must be included in the records, depending on the role of the organisation.

Data Controllers

As a data controller, you must include the following information:

  • the name and contact details of the controller and the data protection officer, where applicable;
  • purposes of the processing;
  • categories of data subjects and categories of personal data;
  • categories of recipients to whom the personal data have been or will be disclosed;
  • transfers of personal data to a third country or an international organisation, including the documentation of suitable safeguards;
  • time limits for erasure; and
  • a description of the technical and organisational security measures.

Data Processors

As a data processor, you must maintain records of processing activities performed on behalf of data controllers, detailing the following:

  • name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and the data protection officer, where applicable;
  • categories of processing carried out on behalf of each controller;
  • transfers of personal data to a third country or an international organisation, including the documentation of suitable safeguards; and
  • a description of the technical and organisational security measures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.