Anymore, individuals with a job title such as privacy manager/analyst, compliance manager/engineer, or anything in data governance or data security will very likely be faced with records of processing activities (RoPA) or a data management project similar to RoPA.
RoPA , which is featured in Article 30 of the GDPR, states that all data controllers and processors must maintain a record of processing activities under its responsibility. While RoPA may be a specific GDPR requirement, it’s becoming more and more necessary to keep track of business processes in order to abide by other data privacy laws as well. After all, how will you be able to provide user data when requested if you are unsure of where or why you have the requested data?
Data included in the record of processing must contain the following information:
- Name of the business process. This could include, for example, interviewing candidates, onboarding an employee, or online customer registration.
- Purpose of processing. The business may need to lawfully process data for employment laws, background investigations, online profile creations, or other valid reasons.
- Categories of data subjects, and personal data in scope for this business process. An example of a “category of data subject” could include: employees, online customers, in-store customers, or vendors. “Category of personal data” might involve: financial information, shipping information, contact information, or employee information.
- Transfers to third party countries or other third-party international companies.
- Retention time periods.
- Description of security controls in place for this business process.
Data Verification and RoPA Assurance / Validation
While the label “processing” may lead businesses to believe that it is limited to active events, RoPA must also cover any data that sits on a server or a shelf. Which means that businesses need that data to be discoverable in order to verify RoPA.
When it comes to data, most businesses generally are not technical and are only aware of the various front end apps that they interact with; more often than not, they do not have any knowledge of the backend systems or the data within them. They may think certain data elements are being stored in systems or repositories and may believe that data is being protected, but do not know for certain. Utilizing data discovery will inform your team what data elements are in which systems; thus, you can verify whether or not the RoPA is valid.
Furthermore, data discovery can help highlight areas of confusion or uncertainty within the business so that IT security can better protect the environment. Often these types of investigations will also lead to a company kicking off a data minimization project, another area where data discovery can help. Because of the broad platform support, data discovery is able to tell you where the same data is stored. If the business is unable to map a purpose of use for that data set, it should trigger a internal conversation to discuss whether the data is really needed or can be removed for good.
In addition to data verification for your records of processing, data discovery can also assist with any Privacy Impact Assessment (PIA) or Data Protection Impact Assessments (DPIA) by allowing you to fully understand exactly what all types of data elements are involved or impacted by any organizational or systematic change. Keeping an eye on where your data is across the enterprise enables limitless value and endless possibilities for the business.
Data Cataloging and the RoPA Process
Generally speaking, data catalogs are driven by the business along with the data governance team. These teams are generally focused on the business use case and purpose of the data’s existence along with the quality of the data. Going through this process, those catalogs will collect business such as purpose of processing, business process, retention, or even known security controls.
Leveraging a partnership with Collibra, PK Discovery can help inform actual knowledge of the real data that is inside of tables, columns, and even files that privacy or compliance groups want to see. This empowers businesses with a robust solution for most data projects, whether those projects are focused on security, compliance, privacy, or governance.
Find out how PK Discovery can empower your RoPA process. Request a free demo now.