Being subject to the UK GDPR, all organisations have a legal obligation to maintain an up-to-date and meaningful Records of our Processing Activities (RoPA).
This register serves a number of purposes and provides advantages, which we will outline later.
Processing activities, as defined in the GDPR, encompass a wide range of things, that also include the mere storing of data i.e. those HR records you are storing permanently, they too count as processing activity, even if you are not really doing anything with them.
Examples could be the handling of HR records, handling of consent forms for a school trip, processing meals through an electronic till system and many others. A good way to identify your processing activities is to look at what systems you have bought, and what you use them for. If you are using GDPRiS, then you will have uploaded some personal data into it (e.g. staff names and email addresses). Therefore you would declare a processing activity including staff data for the purposes of: staff training, documentation of incidents, undertaking of internal accountability and audit, document dissemination, management of subject requests and so on.
We are not going to go into what should be in each record in the register, the ICO guidance covers this very well. We want to highlight the real benefits your RoPA can bring to your school or MAT.
9 reasons why RoPA is good for you
-
Compliance with Data Protection Law
The UK GDPR demands you maintain a Record of Processing Activity (RoPA). This record demonstrates your understanding of the law, and your commitment to meet its requirements. In fact, one of the first things you’ll be asked for in an inspection or audit by the ICO is your RoPA!
-
Transparency and Accountability
Your RoPA provides transparency about how personal data is being processed within your organisation and helps with demonstrating accountability for data processing activities. If you end up in a dispute over your safe handling of personal data, you may be asked to provide your RoPA (remember to cleanse it of personal data, before you do!).
-
Risk Assessment and Management
Your RoPA allows you to assess and manage risks associated with data processing, including identifying potential vulnerabilities, and implementing appropriate security measures. Adding an activity to your RoPA should be one step of your programme to safely begin a new processing activity. Entering a record into your RoPA should prompt you to undertake a risk and impact assessment.
-
Data Minimisation and Purpose Limitation
Having to enter a record onto the register, each time you start a new processing activity (or when reviewing legacy activities) will prompt you to consider what you are hoping to achieve with the activity, and if you really are (still) collecting 'just enough' data to achieve your goal. You must ensure that personal data is only collected and processed for specific, lawful purposes, and is not retained longer than necessary. It is common to sign up to a system for a specific processing activity, and over time, we start using it for other purposes (e.g. because the vendor adds more features). The periodic RoPA review is a good time to check we understand, and are comfortable with, all this scope creep.
-
Data Subject Rights
RoPA facilitates the exercise of data subject rights (e.g. right to access, right to rectification) by providing a clear overview of data processing activities and the relevant contact points. If you get asked to erase data, or show data, or correct data, the register will tell you, where to find that data.
-
Data Breach Response
A well-maintained RoPA can be invaluable in responding to data breaches. It helps in identifying affected data subjects, evaluating the impact, and notifying the relevant authorities within the required timeframes.
-
Third-Party Relationships
Because many processing activities are achieved with the help of a processor, external to your organisation, it is entirely possible, even advisable, to keep track of due diligence outcomes within your RoPA. You could also document your contract expiry dates here and set yourself reminders to review your supplier relationship in plenty of time before you renew your contract.
-
Efficient Audits and Inspections
As we highlighted earlier, your RoPA is a key document, that will please your auditor, if it is there and well maintained, and displease them, if it isn’t.
-
Training and Awareness
A well maintained RoPA also supports training and awareness initiatives within your organisation, helping employees understand their responsibilities regarding data protection. You can even track who has access to certain systems or takes part in certain processing activities within your RoPA, which is really useful for your on-boarding and off-boarding processes of staff.
The UK’s data protection reform
As of early 2024, it is relatively clear that the government will convert its proposed changes under The Data Protection and Digital Information Bill, into data protection law.
There are rumours circulating in the education sector that once the bill becomes law schools will no longer need a RoPA... this is absolutely false! While there are some changes to the demands on RoPA, the changes are not substantial, and as education organisations process special category data not likely to change what is required of schools and MATs.
Practically all UK organisations process a level of EU citizens’ data. We therefore recommend that a RoPA be kept in line with EU GDPR. That is sure to satisfy the requirements of any future changes in the law, give the aforementioned practical benefits, and also align with EU law for added reassurance.