A Guide to GDPR Article 30

The General Data Protection Regulation (GDPR) requires organizations to keep a record of how they process personal data, known as a Record of Processing Activities (RoPA) or an Article 30 Report.

Done right, a RoPA can bring great benefits to your organization. And creating and maintaining a RoPA doesn’t have to be a resource-intensive task.

This article will explore whether you need a RoPA, how to efficiently create and maintain a RoPA, and what information a RoPA must include.

Record of Processing Activities

A RoPA or Article 30 Report is a document that records an organization’s personal data processing activities.

• “Personal data” means any information that can directly or indirectly identify an individual, including a name, email address, or even technical and device information.
• “Processing” personal data means doing pretty much anything with it, including collecting it, storing it, deleting it, or sharing it.

Creating and maintaining a RoPA is a legal requirement under Article 30 of the GDPR. Regulators can ask to view a company’s RoPA in response to a complaint or as part of an investigation.

Benefits of Creating a RoPA

Beyond legal requirements, creating a RoPA is also an excellent way to keep your data processing activities organized and under control. A RoPA provides a clear “bird’s eyes” view of:

• What personal data you’re collecting.
• Why you’re collecting personal data.
• How you’re using personal data.
• Who you’re sharing personal data with.
• Whether you’re keeping personal data secure.

Most organizations think they know all this—but it’s surprisingly easy to collect and share personal data without realizing it. 

Creating a RoPA can provide peace of mind and keep you accountable under the GDPR and other data protection and privacy laws.

Who Needs a RoPA?

Almost every organization covered by the GDPR needs to maintain a RoPA.

The GDPR contains an exemption for smaller businesses. If your organization has fewer than 250 employees, you only need to record processing activities that are:

• “Not occasional”.
• Present a risk to people’s “rights and freedoms”.
• Involve “special category data”.
• Involve data about criminal convictions.

‍Special category data is sometimes called “sensitive data” and includes information about people’s race, health, sexuality, or beliefs (among other things).

Any organization with 250 or more employees must record all of its processing activities in a RoPA.

RoPAs for Small and Medium-Sized Organizations

Smaller organizations are not entirely exempt from maintaining a RoPA—they still need a RoPA to record regular or risky processing activities.

Official guidance from EU data regulators provides some examples of data processing that still requires a RoPA, even for smaller organizations:

• Any data processing carried out “regularly”.
• Any data processing that occurs as part of a company’s “regular course of business or activity”.
• Processing data about employees (for example, HR records and payroll information).
• Any processing that results in a “risk (not just a high risk)” to individuals.

The UK’s data regulator provides the following example of how this might apply in practice in a hypothetical insurance firm with 100 employees. 

• The company processes personal data about insurance claims, sales, and HR. This processing is not occasional, so it must be recorded in a RoPA.
• The company occasionally conducts an internal staff survey. This processing is occasional and is not risky, so it does not need to be recorded in a RoPA.
• The company occasionally conducts profiling of its customer database to classify insurance risks. Although this processing is occasional, it is also risky, so it must be recorded in a RoPA.
• The company does a recruitment drive and asks applicants about their health and ethnic origin. This processing involves “special category data”, so it must be recorded in a RoPA.

RoPAs for Smaller Tech Companies

If your company develops software, you will likely need a RoPA—regardless of your company’s size. This is because software like SaaS applications and mobile apps routinely collect personal data.

Personal data under the GDPR can include information such as IP addresses, mobile IDs, and cookie data. Because processing this data falls within your company’s “regular course of business”, you’ll need to record this processing in a RoPA.

How to Create a RoPA

You might need to spell out the benefits of having a RoPA—and the risks of not having a RoPA—to get support from senior leaders at your company.

Let’s look at the process of creating and maintaining a RoPA.

Gathering Information

To create a RoPA, you need to gather information about your company’s data processing practices.

There are several ways to learn about how your organization processes personal data:

• Interviews and surveys: Ask people about how they or their departments collect and use personal data, including how long they store the data and who they share it with.
• Code scanning: If your company provides an app or other software product, privacy code scanning can automatically identify what personal data your software collects and shares.

These activities can form part of a wider data mapping exercise. Creating a data map is a crucial way to learn how data flows through your organization. Your RoPA can derive from your data map.

You might find gaps in the information people provide. For example, people might not know how long they store certain types of personal data. Make a plan to close these gaps.

Recording Information

Once you start gathering information about your company’s data processing practices, you’ll need to record the information in your RoPA.

You should keep your RoPA in electronic form, not on paper, as you’ll need to update it regularly.

There are two main approaches to creating a RoPA:

• Spreadsheets: Manually entering information into a spreadsheet can be time-consuming and unreliable. However, this method might work best for small companies with simple processing operations.
• Automation: Privado can automatically create data inventories, map data flows, and export the relevant information into a RoPA. Automation is likely the best solution for most organizations.

Whatever approach you take, your RoPA must be formal, well-organized, and kept up-to-date.

Maintaining Your RoPA

A RoPA is not a “point in time” exercise. Your RoPA is a live document that requires regular reviews and updates.

Maintaining your RoPA might involve:

• Regular reviews with stakeholders. Ask if teams have adopted any new processing activities not yet included in the RoPA. High-risk activities might require quarterly reviews, whereas lower-risk activities could merit annual or biannual reviews.
• Syncing data protection impact assessments (DPIAs) with your RoPA to ensure new processing activities are recorded.
• Linking your vendor risk management program with your RoPA to ensure you’re recording data flows and recipients.

Privado’s assessment automation solution can help bring together all aspects of your privacy management program and ensure your RoPA includes everything required.

What to Include in Your RoPA

We’ve considered when a RoPA is required and how to start creating a RoPA. But what information should you include in your RoPA?

Article 30 of the GDPR lists the RoPA requirements for: 

• Controllers: Organizations that decide why and how to process personal data, and 
• Processors: Organizations that process personal data on behalf of a controller.

The GDPR lists the minimum information required in a RoPA. You might want to include further information if it’s useful for your operations.

Controller RoPA Requirements

Under Article 30, a controller must include the following information in its RoPA:

• The name and contact details of the controller (and its data protection officer, if relevant), and any joint controllers.
• The purposes of the processing (why the controller processes personal data, e.g. “sending customers marketing emails”).
• The categories of data subjects (e.g. “subscription customers”) and personal data (e.g. “email addresses”).
• The categories of recipients of the personal data (e.g. “email marketing providers”—you can also specify vendors or other recipients, e.g. “MailChimp”).
• Details of any international transfers of personal data, including the relevant third country and safeguard (e.g. “United States, standard contractual clauses”).
• Personal data storage periods (e.g. “until the data subject unsubscribes” or “two years”).
• Details of any data security safeguards (e.g. “encryption in transit and at rest”).

It can also be useful to record other information, such as the legal basis for processing different types of personal data.

Processor RoPA Requirements

A processor must include the following information in its RoPA:

• The name and contact details of the processor (and its data protection officer, if relevant), plus the names and contact details of each of its controllers.
• The categories of processing carried out for each controller (e.g. “storing customer email addresses, sending marketing emails”).
• Details of any international transfers of personal data, including the relevant third country and safeguard (e.g. “United States, standard contractual clauses”).
• Details of any data security safeguards (e.g. “encryption in transit and at rest”).

Creating Your Article 30 RoPA

A RoPA is a crucial part of GDPR compliance and a great way to help manage privacy in your organization.

A RoPA can also help meet requirements under other laws, such as the California Consumer Privacy Act (CCPA) or Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

A RoPA can also help compliance with standards such as the NIST Privacy Framework or ISO/IEC 27001.

Remember to include people from across your organization when developing your RoPA, and consider using automated tools to keep your RoPA up-to-date.