Understanding ROPAs And PIIAs And Why Your Organisation Needs Both

As organisations continue to process increasing volumes of personal information, understanding how data is processed within the organisation through systems, teams and third parties is essential. A tool that assists organisations in keeping track of their data flows is a record of processing activities, often referred to as a "ROPA" or data mapping. For the purposes of this article, we will use the term ROPA.

A ROPA is an inventory of how an organisation processes personal information and provides an overview of how personal information is processed and how it flows (hence also called data mapping). A ROPA forms part of the foundation for an effective data protection compliance programme. On the other hand, a personal information impact assessment ("PIIA") is a more in-depth analysis of any processing activity that may pose a high risk to data subjects. Read more about PIIAs here.

Why implement and maintain a ROPA?

Maintaining a ROPA is essential for understanding data flows and identifying all touchpoints in the lifecycle of the personal information handled by the responsible party. Not knowing what personal information is processed, the purposes for processing it, which data subjects it belongs to, whether third parties process it, if there are cross‑border transfers of the personal information, or even where the information is stored, makes it difficult to implement and comply with data protection laws. Moreover, having a ROPA enables informed decision‑making, identifying potential risk areas before they escalate and strengthens data governance.

Is it mandatory to have a ROPA?

Under the EU and UK General Data Protection Regulation (collectively "GDPR"), data controllers must maintain a ROPA and document the personal data they process, and data processors must document the categories of processing they perform for each controller. A compliant ROPA includes details such as the controller's contact information, purposes of processing, categories of data subjects and personal data, recipients (including international transfers), retention periods and security measures. Not all organisations subject to the GDPR must comply with this obligation – specifically organisations with fewer than 250 employees are generally exempt. However, they must have a ROPA if their processing is high‑risk, not occasional, or involves special categories of data or information relating to criminal offences.

Conversely, the Protection of Personal Information Act, 2013 ("POPIA") does not have an explicit requirement that responsible parties maintain a ROPA. However, section 17 of POPIA requires every responsible party to maintain the documentation of all processing operations under its responsibility as referred to in section 14 or 51 of the Promotion of Access to Information Act, 2000 ("PAIA"). Under South African data protection laws, every responsible party must develop and publish PAIA Manual. The PAIA manual must include the following information:

• the purpose of the processing;
• a description of the categories of data subjects and of the information or categories of information relating to the data subjects;
• the recipients or categories of recipients who will access the personal information;
• planned transborder flows of personal information; and
• a general description allowing a preliminary assessment of the suitability of the information security measures to be implemented by the responsible party to ensure the confidentiality, integrity and availability of the information which is to be processed.

In essence, section 17 of POPIA read with the PAIA requires an organisation's PAIA manual to document the above information about its processing operations. However, as a practical matter, including a comprehensive and robust ROPA directly within the PAIA manual is unlikely to be feasible, as the level of detail required would render the manual unwieldy. Instead, most organisations will include this information at a high level in their PAIA manual, much as they would in a section 18 privacy notice, providing a general overview of the categories of personal information processed, the purposes for processing, and the other items listed above.

The ROPA itself should be maintained as a separate, detailed document that maps the organisation's data flows in the manner described above – setting out the full lifecycle of personal information from collection through to destruction or de-identification. Maintained in this way, the ROPA serves a critical practical function beyond mere compliance: it enables the information officer to identify high-risk processing activities across the organisation, which in turn triggers the need for a more in-depth assessment by way of a PIIA (which is mandatory under POPIA). In other words, the ROPA acts as the foundation from which an organisation can determine where a deeper dive into specific processing activities is warranted.

Regardless of the format, a ROPA must provide a complete and accurate overview of the organisation's processing activities to ensure compliance with its information-handling obligations.

What is the difference between a ROPA and a PIIA?

Some organisations mistakenly treat a ROPA and a PIIA as the same thing or use one in place of the other. However, they serve vastly different purposes.

While ROPAs and PIIAs are complementary, there are several key differences between the two instruments:

We regularly assist organisations with the development and review of ROPAs, as well as with considerations around their implementation and ongoing maintenance. Get in touch with the team below should you wish to learn more.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.