Litigation Support Tip of the Night The GDPR's ROPAs

Article 30 of the General Data Protection Regulation requires controllers of personal data to maintain a 'record of processing activities' which includes seven key pieces of information:

1. Controller name and contact information.
2. Purpose for the processing.
3. The categories of personal data and data subjects.
4. The categories of recipients to whom data will be disclosed.
5. Transfers of data to third countries or international organizations.
6. The time range for which the data will be held and then erased.
7. The security measures taken to protect the data.

You can find a good example of a spreadsheet used to track ROPA data on the site of the UK's National Health Service.

Compare this with an example on the site of the Commission nationale de l'informatique et des libertés (CNIL), the French agency charged with enforcing data privacy laws.

Supporting documentation is often required for ROPAs, such as vendor DPAs, (Data Processing Agreements) which address the terms under which a service provider processes personal data for a company, and DSAR responses (Data Subject Access Requests), which are actions taken to remove, alter, or access personal data on the request of the person whose data is involved.

Organizations often prepare data maps to track the personal data they are holding. Some service providers such as BigID have developed systems which help companies assess private data on their network.

https://www.litigationsupporttipofthenight.com/single-post/ropas