Who Needs a ROPA and Why?

Latest update:
30 Jun

Under theUK General Data Protection Regulation (GDPR), the majority of organisations processing personal data are required to create and maintain a formal record of processing activities (ROPA). It is widely regarded as the core data protection compliance document. In this, the first of two blogs on ROPAs, we are going to address two fundamental questions:

  • Which organisations need a ROPA?
  • Why is it necessary to create and maintain a ROPA?

Who needs a ROPA?

First, the easy bit. In the UK, if your organisation has more than 250 employees, you are required to create and maintain a ROPA, no questions.  But, what about organisations with less than 250 employees?  Here it is less black and white, however, organisations will still need to have a ROPA unless they can demonstrate one oft he following:

  • The organisation only conducts data processing occasionally
    An ‘occasional’ activity is interpreted as one that is not conducted regularly, e.g., informing clients of a one-off event. However, if your organisation is involved in regular data processing, such as client management or payroll management, this exemption would not apply and you will need to complete a ROPA
  • Processing is unlikely to pose a risk to the rights and freedom of data subjects.
    In order to take advantage of this exemption, you will need to conduct a risk assessment taking into account the scope and context of data processing. Again, however, it is difficult to envisage many situations where processing of personal data does not pose some degree of risk
  • No special categories of data are processed
    Personal data which falls under the special category banner includes health and criminal records.  So, for example, if your organisation manages its own employees’ health records this exemption would not apply and you will need to complete a ROPA.

Putting aside the legal requirements for one moment, it can be argued that having a ROPA in place simply represents good business practice for any organisation that processes personal data. Such a record, in our opinion, represents the corner stone of any privacy compliance framework.  It also plays a vital role in identifying risks associated with processing personal data and can be used to identify where data protection impact assessments (DPIAs) are required.  Let’s now look at some of the benefits of creating and maintaining a ROPA.

Why have a ROPA?

  • One of the key principles introduced by the UK GDPR is that of ‘accountability’, where data controllers are not only held responsible for ensuring that all privacy principles are adhered to, but also need to be able to demonstrate this. Presenting your ROPA is a key tool in establishing your accountability for any request or investigation by the Information Commissioner’s Office (ICO).
  • ROPAs are also pivotal in assisting organisations comply with another key GDPR principle, that of data minimisation, where data controllers are required to only process the personal data they need.  In the process of producing a ROPA, you will identify and can remove any superfluous personal data from your systems.  This eliminates the need to secure non-essential data and focuses efforts on retaining and securing necessary personal information.    
  • Complying with other aspects of data protection law (such as creating privacy notices, keeping personal data secure, enforcing retention schedules etc.) also becomes much easier if there is a ROPA in place.  
  • Creating a ROPA enables you to record what information you have, where it’s kept and what you do with it, making it much easier to improve your information governance practices.
  • In creating your ROPA, you can identify any cases of duplications or divergences of data which enable you to build a single source of truth with records that are the most current, complete and accurate.
  • As mentioned, the ICO can ask to see your ROPA at any time. Breaching the obligation to have a ROPA can, depending on the gravity of the infringement, incur a fine of up to £8.7m or 2% of an organisation’s annual worldwide turnover.

Next steps

URM has been involved in assisting a wide range of organisations develop and maintain their ROPA.  In our follow-up blog, we will be providing some valuable tips on the procedure to follow in establishing your ROPA.  

If you require any assistance in developing and maintaining a ROPA, please contact URM by email info@urmconsulting.com or phone 0118 206 5410

Data Protection
Responding to Data Subject Access Requests (DSARs)

There is nothing straightforward or simple about responding to a data subject access request (DSAR). Whilst responding to DSARs can be onerous and time-consuming, you cannot take any shortcuts.

Read more
Data Protection
When and How to Conduct a Data Protection Impact Assessment (DPIA)

A DPIA delivers a pre-emptive approach to assessing these risks, and by applying corrective actions can help prevent a data breach occurring. We present an outline of steps in conducting a DPIA

Read more
Data Protection
How to Create a Record of Processing Activities (ROPA)

Creating a ROPA will involve understanding and capturing processing activities throughout an organisation. In this blog, we will outline a step-by-step procedure on how you can create a ROPA.

Read more
Cyber Essentials Plus was a great exercise for the business to go through as some gaps were found and URM provided valuable information on remediation
contact US

Let us help you

Let us help you in your compliance journey by completing the form below and letting us know how we can best support you
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.