In 2022, the Data Protection Commission (the "DPC") carried out a sweep of the Records of Processing Activities ("RoPAs") of thirty public and private sector organisations to detect issues and gaps in the drafting and management of RoPAs. Following this sweep, the DPC has published a Guidance Note on RoPAs (the "Guidance") to assist organisations in complying with their responsibilities under Article 30 GDPR.
Article 30 GDPR obliges controllers and processors to maintain a RoPA – a record of all processing activities. Article 30 sets out the information which a RoPA must include, and provides that controllers and processors must provide a copy of their RoPAs to the DPC upon request (Article 30(4)). The Guidance notes that ten days "should be sufficient notice for any organisation in all circumstances". The RoPA should be a standalone record that the DPC can request and view in a readable form. If an organisation is using software to record its RoPA, a report should be easily generated.
The Guidance notes that a well drafted RoPA will demonstrate to the DPC that an organisation has considered the purpose of all of its processing activities. It will also demonstrate that the organisation has considered the implications of processing the personal data, the specific and limited personal data required for each activity, and the particularities of managing the security and retention of the personal data being processed.
Given the DPC's role in monitoring and enforcing the GDPR, the Guidance provides welcome advice to organisations on how they should draft their RoPAs, including a list of 'Dos' and 'Don'ts', along with examples of well completed RoPAs, versus a RoPA that contains insufficient detail.
Article 30 GDPR Requirements
Article 30 GDPR requires controllers and processors to maintain detailed records of their activities which involve the use of personal data. Article 30(1) and 30(2), respectively, set out the mandatory information that should be included in the RoPA of a controller and processor. Controllers must maintain these RoPAs in writing, and are permitted to do so in electronic form.
Under Article 30(5) of the GDPR, organisations that employ less than 250 employees are exempt from the above obligations. However, this exemption does not apply in respect of any processing activities which:
- are likely to result in a risk to the rights and freedoms of data subjects (e.g. the use of AI, the tracking of locations or the processing of applications for mortgages);
- are not occasional (e.g. HR or employee pay-related processing); or
- include special category personal data ("SCD"), or personal data relating to criminal convictions and offences (e.g. Garda vetting, membership in trade unions, or biometric data processing).
- Small and medium enterprises that carry out such processing activities must maintain a RoPA in respect of those activities.
Small and medium enterprises that come under the exemption must still keep a standalone record of HR and payroll functions in a legible format. A spreadsheet may suffice for smaller organisations, but for larger organisations with more complexities it may be preferable to use a relational database or a RoPA tool availed of from a third party data protection service provider.
'Dos' and 'Don'ts' for Organisations
The Guidance contains a list of RoPA 'Dos' and 'Don'ts' for organisations, which are set out in brief below.
- Break down the RoPA in accordance with the different business functions within the organisation (e.g. finance, HR, marketing). The DPC recommends creating separate tables or spreadsheets for each business unit within an overall RoPA document or system. It also suggests carrying out a data mapping exercise to determine what data the business holds and where.
- Use the RoPA as a "tool" to show that the organisation is in compliance with the GDPR accountability principle. Organisations can do this by providing specific detail for each category of data subject, personal data or processing activity. Such granular information is important given that retention periods often vary among different categories of data and all retention periods should be specified.
- Include relevant extra information, where appropriate. Many organisations include in the RoPA helpful extra information not explicitly required under Article 30 GDPR. For example, the Article 6 legal basis for processing; Article 9 basis for processing SCD; whether a breach has occurred in relation to a specific processing activity; non-EEA transfer mechanisms relied upon; and risk ratings allocated to processing activities. The DPC emphasises that organisations should clearly highlight which information is mandatory under Article 30, and which information is included as such a "helpful extra".
- Gaining "buy-in" across the organisation. The DPC recommends that responsibility for completing the RoPA should not rest solely with the DPO. Rather, the process may be led by the DPO, with different areas of the organisation feeding into the process. An organisation may seek buy-in, by setting specific RoPA review dates, and requesting all sections of the organisation to participate in the review. Each business unit should designate someone with responsibility for maintaining the mandatory information.
- Maintain a "living, dynamic" RoPA, which is updated regularly. There should be regular RoPA reviews and updates. The DPC suggests that an electronic RoPA would be more manageable than a paper-based RoPA, so it can be easily edited and saved. Employees should receive training so that they know to add new processing activities to the RoPA as they are rolled out. Importantly, obsolete processing activities should be marked as such, or removed from the RoPA (and archived for the purposes of accountability).
- Don't fail to update the RoPA. The RoPA should not contain out-of-date information. The RoPA must be maintained and readily available to the DPC on request. The DPC advises that ten days should be sufficient notice for any organisation to supply it with a copy of their RoPA.
- Don't omit adequate detail or granularity. For example, when listing the categories of personal data being processed, or listing the technical and organisational security measures.
- Don't maintain a RoPA that is not self-explanatory and self-contained. Organisations should avoid hyperlinking documents, or referring to various documents or sources in the RoPA. The mandatory information set out in Article 30 GDPR should be accessible and the RoPA should not be so confusing that it hinders the DPC in its monitoring role. Organisations should also steer clear of using undefined acronyms which may not be readily understandable by the DPC.
The Guidance highlights the importance of organisations maintaining an up-to-date RoPA, in order to map and understand all the personal data it is processing and for what reasons. As well as being a compliance and risk management tool, a RoPA will assist an organisation in identifying any personal data processing that may not be necessary, and may help in demonstrating to data subjects a commitment to best practice data protection policies and procedures.
Organisations should now take heed of the Guidance and ensure that their RoPAs are granular, specific, detailed and continuously updated with input and ownership from each business unit within the organisation. Companies should ensure that they can make their RoPAs readily available to the DPC, should they be requested to do so. The DPC has warned that it may request a copy of a RoPA from an organisation not only as part of a future compliance sweep, but also whilst carrying out other regulatory activities, such as breach notification management, complaint handling, inquiries and investigations.
If you would like to discuss the Guidance, or any other related data protection and data privacy matter concerning your business, please do not hesitate to contact any member of our Technology and Innovation Group.