Frustrated man

Records of processing activities (ROPAs)

Top 3 data protection program issues and how to start resolving them: #16

When it comes to processing, your company is either in control, or it’s not.

There’s no ‘kind of in control.’

On a basic level, your ROPA will provide an overview of your processing.

How can you claim to be in control if you don’t have one, or it was last updated a year or more ago?

Many of the ROPA issues companies have, stem from an over-eagerness to populate their ROPA without a strategy or governance model.

Here’s 3 common issues.

#1 Static and out of date

Establishing an initial ROPA requires tremendous effort eliciting processing activities across your company.

It’s also an opportunity to engage with key stakeholders, and an opportunity to educate them.

Education is important to ensure quality of responses and also, if you want to embed ownership for ROPA updates in the teams where the processing takes place.

And this is where it often goes wrong.

If you don’t have a ROPA governance model sketched out before you start that sets out responsibilities, you’ll struggle to establish one later.

Embedding update triggers in your operational procedures is also part of ensuring your ROPA is living and breathing.

No ROPA governance and your ROPA quickly goes out of date.

One processing activity at a time.

And then one more...

#2 Zero value

Understanding and articulating the value of a ROPA beyond compliance with GDPR’s Art. 30 requirements will only help you get buy-in and get others to take ownership.

There are plenty of opportunities to enrich the ROPA with other useful information and integrate with other repositories and tools within your organisation.

An enriched ROPA becomes useful to others outside the data protection team.

Providing value to others, not just ticking the GDPR box.

#3 Money wasted

There are so many ROPA solutions.

It’s a crowded market.

Still, lots of money is wasted by companies sourcing ROPA tools that are not fit for purpose.

I wrote an article about this a few years ago which is still relevant today:

Since I wrote the article, I sense many companies are locked into solutions that are cumbersome and expensive.

Some may regret not having a strategy, or understanding integration requirements, or not having a governance model defined upfront.

Purpose and Means help Data Protection Leaders refresh their work focusing on business alignment and orchestration.

We’re based in Denmark, but operate globally.

If this issue resonates, book a call to discuss your requirements!

Petruta Pirvan
Tim Clements
February 21, 2023


Other posts

June 2, 2023
Disseminating policies
Tim Clements
May 27, 2023
Ineffective controls
Tim Clements
May 26, 2023
DPIA on a page
Tim Clements
May 25, 2023
GDPR on a page
Tim Clements
May 22, 2023
GDPR 5 years old - is it really?
Tim Clements
May 9, 2023
Employee engagement
Tim Clements
May 2, 2023
Managing risk
Tim Clements
April 13, 2023
Copy/paste consultancies
Tim Clements
April 6, 2023
Controller/Processor life-cycle
Tim Clements
March 30, 2023
Responding to an audit
Tim Clements
March 23, 2023
Data protection templates
Tim Clements
March 11, 2023
Data protection program control
Tim Clements
March 6, 2023
Reporting data protection status
Tim Clements
March 2, 2023
The lone data protection army
Tim Clements