Building Your First Record of Processing Activities (RoPA)

Prerequisites

Before you begin, ensure you have identified the following within your organisation:

  1. Data Repositories: All data storage locations.
  2. Processing Activities: All processes handling personal data.
  3. Categories of data and individuals identified.
  4. Teams: All teams and their specific roles.

Building Your First RoPA Draft

The first draft of your RoPA will involve making provisional associations between the elements you've identified. These associations are your best initial guesses and will be validated in later stages.

Processing Activity → Team

Link each processing activity to the responsible team. Optionally, you can designate a Team Owner who will receive future assessments related to the processing activity. If no Team Owner is set, assessments will be sent to the entire team.

💡 Make sure you have configured users, teams and business functions priorly.

Users / Roles / Teams / Business Functions

Alternatively, you can add a new team and user if needed inside the processing activity.


Processing Activity → Categories of Individuals and Data Categories

Link each processing activity to the relevant categories of individuals and data categories.

  1. Click on the "New Category of Individual" button.
  2. Select your Category of Individual and Data Categories.

We have pre-added categories of data and categories of individuals, however, you can define your own taxonomy or add categories that are missing.

For more info, please refer to:

Data Practices: Categories of Data

Data Practices: Categories of Individuals

Processing Activity → Data Repositories

Link each processing activity to the corresponding data repositories to trace data flows.

For each Category of Individual within each Processing Activity, select the Data Source (Internal, External, Subject, Other) and the Data Repositories where processing occurs.

Data Repositories → Team

Link each data repository to the responsible team or individual.

Navigate to Data Inventory and search for the needed data repository. Proceed to edit and select an owner (User or Team).

Why single points of ownership matters?

Tracking ownership and responsibility is your starting point for effective data management. The data owners will need be documented in your RoPA, be responsible for future assessments including input to potential DPIAs.

Next Steps

Important Note: These initial associations are made based on the available information and your best judgment. Validating these connections with business owners and subject matter experts is a crucial next step to ensure accuracy.

Once your first RoPA draft is complete, discuss your next steps with your Account Manager.

Validation Option: RoPA Interviews

To validate your RoPA, consider interviewing team leaders.

  1. Create a Brief for Leadership: Explain the importance of GDPR Article 30 and the steps needed to create an effective RoPA.
  2. Meeting with Team Head: Schedule a meeting with a team head to discuss their processing activities and data repositories. Use this meeting to input data into the product and introduce them to the process.
  3. Access to the Tool: After the interview, grant access to the team leader so they can manage their data processing activities.

Summary

By following these steps, you'll be on your way to creating a comprehensive RoPA and ensuring GDPR compliance. If you have any questions or need further assistance, please refer to our documentation or contact our support team. We're here to support your privacy program development and help you achieve your data protection goals.

Still need help? Contact Us Contact Us