How To: Understanding RoPA and Achieving Compliance

Cole PrudenData Discovery, GDPR, GDPR Compliance, Private Data

an infographic for GDPR for PII Tools

Did you know the GDPR has 99 different articles and over 250 pages? You’ll likely never know each provision individually, but there’s at least one article worth paying extra attention to. Meet Article 30: RoPA.

The GDPR

If you’re the kind of person interested in articles about sensitive data and compliance, we sure hope you’re already well aware of the GDPR. But just as a quick refresher, it should suffice to say that the General Data Protection Regulation is a set of provisions that apply to entities that collect and handle the personal data of people living within the EU.
If you’d like to learn more about the GDPR as a whole, I’d recommend checking out our deep dive on the subject: Making GDPR Compliance Simple. Otherwise, we can move on ahead and discuss one article in particular that you’re going to need to know.

Article 30: RoPA

As much fun as reading government documents can be, we’d all benefit from a summary of the good stuff. Therefore, we read all of Article 30, so you don’t have to. So, what is it, and why should you care?

For starters, Article 30 of the GDPR is better known by its official title: Records of Processing Activities (RoPA). I know, sexy, right? To summarize, RoPA is all about the GDPR’s requirement for controllers to “maintain a record of processing activities under its responsibility”.

And that’s it. RoPA = Keep records on your stored data up to date. Okay, that’s all we need. Can we pack it up and go home then?

Not just yet. Article 30 is quite specific about exactly how your records should be kept and how they should be continuously reviewed and maintained to achieve that glorious GDPR compliance we all so desperately seek.

RoPA Compliance

Alright, now you know that RoPA exists, but what should you do with it? Two words for you: Data Mapping.

Any controller, or simply any entity that collects and stores personal data, looking to keep a well-organized record of all processing activities under its responsibility should start with data mapping. But what does that mean?

In lay terms, data mapping is the process of tracking, documenting, and integrating all data elements (including data sources, fields, systems, warehouses, etc.) that an entity controls and uses to collect data. Oh, and don’t forget all internal and external third-party systems that hold your collected data.

Honestly, the term pretty much speaks for itself. You create a metaphorical map (i.e., a record) of every piece and kind of stored data, with connecting lines showing where it came from, where it’s going, who has access to it, and so on.

A RoPA-compliant Record Includes…

In fact, Article 30 is kind enough to tell us exactly what sort of information must be included in your data map. Check out the graphic below to see the various kinds of data and how they all need to be treated:

Broken down into four steps, RoPA is all about identifying the type of stored data, defining its purpose (ask yourself, “Why do I even have this data?”), setting the appropriate amount of time it should be kept on file, and, finally, who’s allowed access to it.

To achieve RoPA compliance, companies need to properly and descriptively categorize the people, personal data, and third-party recipients of that personal data in their records. You can think of it as documenting the history of all data transfers, from the day the information arrives to the day it’s entirely removed.

And, obviously, everything that happened in between. Think “The more info, the better”. Or, as the Information Commissioner’s Office (ICO) so eloquently puts it: “An organization should have an internal record of all processing activities carried out by any processors on behalf of [the] organization,” and be sure that all information is “formal, documented, comprehensive, and accurate.”

The Solution: Data Discovery Software

Now, fully adhering to every specific RoPA requirement and building your own data map present quite a mountain to climb. And remember, we’re only talking about Article 30 out of the 99 articles that make up the entire GDPR!

The fastest and most reliable way to discover, analyze, and remediate personal data is to deploy automatic data discovery software. Any data discovery software worth its salt allows you to set unique parameters for the type of data you’re looking for, schedule scans of your company-wide storages, and uncover any misplaced information, cracks in the system, or potential weak points in your security.

The right data discovery software can cover every point required by the GDPR and all its articles, including RoPA. You will be looking for features like AI-driven scanning, easy scheduling, the ability to handle both structured and unstructured data, audit and compliance reporting, and so on.

Achieve RoPA Compliance Today

With all the technology available to us right now, there’s no reason why you shouldn’t be able to achieve full RoPA adherence. And the same can be said for the entire GDPR.

Implementing the right software can really lighten the load of this entire process. And if the potential million-euro GDPR fines for noncompliance aren’t enough motivation for you, then remember that data discovery software will also help keep your employees, business partners, and customers safe.
These people have trusted you with their personal data, so don’t put their goodwill to waste. Protect them simply because it’s the right thing to do.

Give Compliance a Try – PII Tools was Built with the GDPR in Mind