For the Record! DPC issues insightful guidance on Records of Processing Activities
Thursday, 08 June 2023The Data Protection Commission (DPC) recently issued guidance on Records of Processing Activities (RoPAs). The requirement to maintain a RoPA flows from Article 30 of the GDPR, which requires controllers and processors to have in place within their organisations a detailed record which accurately identifies the data processing activities which the organisation carries out.
Article 30(5) of the GDPR provides an exemption from the obligation to maintain a RoPA for certain SMEs (i.e. those with fewer than 250 employees). However, this exemption does not apply to the following three types of data processing;
- processing that is likely to result in a risk to the rights and freedoms of data subjects;
- processing that is not occasional; or
- processing that includes special category personal data or personal data relating to criminal convictions and offences.
Importantly, the DPC has highlighted that processing of HR or employee-related data is not ‘occasional’ processing. In this regard, the requirement to maintain a RoPA in respect of processing activities involving HR or employee data will extend to most organisations, regardless of the size of the organisation. The European Data Protection Board has also previously expressed this view.
The recent DPC guidance on this matter is the culmination of the DPC’s findings following a ‘sweep’ of the RoPAs of 30 organisations in a variety of sectors, who were requested to provide their RoPAs to the DPC for review within 10 days in early 2022.
Helpfully, the guidance outlines ‘Do’s’ and ‘Don’ts’ in respect of maintaining a RoPA which organisations should consider. The following are some of the key takeaway points from this guidance;
Do’s:
- Break down the RoPA with reference to the different functions within the organisation: the RoPA should be clearly broken down and detailed according to the different business units within the organisation (i.e. HR, finance, accounting etc). The DPC recommends that organisations carry out a data mapping exercise involving all relevant units within the organisation to ensure that all data processing activities within the organisation are captured in the RoPA and that nothing is omitted;
- Use the RoPA as a tool to demonstrate compliance with the Accountability principle as set out in Article 5 of the GDPR: the RoPA should be as detailed and comprehensive as possible, for example, the RoPA should specify retention periods for each category of data cited in the RoPA;
- Include relevant extra information as appropriate: the DPC was impressed that some RoPAs that it received contained useful additional information, for example, risk ratings were assigned to each processing activity in some RoPAs;
- Gain buy-in across the organisation: maintaining the RoPA should not be the sole responsibility of the organisation’s Data Protection Officer (DPO) and the DPC suggests a number of options which DPOs or those responsible for maintaining the RoPA within the organisation should apply to encourage participation from all functions within the organisation, for example, setting specific internal review dates for the RoPA; and
- Maintain a living document: the RoPA should be regularly reviewed and updated as required and processing activities which are no longer occurring should be removed from the RoPA but archived elsewhere for the purposes of accountability.
Don’ts:
- Don’t neglect to update the RoPA: the obligation under Article 30 is to ‘maintain’ a RoPA and to ‘make the record available to the supervisory authority on request’. The DPC is of the view that 10 days should be sufficient notice for any organisation to produce their RoPA to the DPC for review;
- Don’t cut corners with detail and granularity: the DPC will not accept general or vague statements in the RoPA. For example, references within the RoPAs reviewed by the DPC to ‘personal data’ or ‘personally identifiable information’ as opposed to specific details of the categories of data, were described by the DPC as ‘unequivocally not sufficient’; and
- Don’t maintain a RoPA that is not self-explanatory: the RoPA should be a complete and self-contained document, fully accessible to an external reader such as the DPC. Accordingly, hyperlinking other documents into the RoPA and use of acronyms in the document should be avoided.
If your organisation has not yet put a RoPA in place, key next steps, particularly in light of this guidance would be to carry out a data mapping exercise to trace data flows within the organisation that will need to be recorded in the RoPA, meet with all stakeholders or functions within the organisation when doing so to ensure all business units are engaged in the process, draft a comprehensive RoPA ensuring that the requirements of Article 30 are included and easily accessible within the document in the event that you need to produce it to the DPC and finally, make sure that the RoPA is regularly updated to reflect all processing activities within the business at any given time.
For further information on RoPAs, please contact Seán O’Donnell, Zelda Deasy, Kelly Mackey, Barrie Scott or any member of our Data Protection/GDPR Team.