Product Updates

Introducing Processing Activity Discovery: Automate RoPAs with Privacy Code Scanning + Generative AI

privacymatters
PrivadoHQ
RoPA automation
Ben Werner
March 28, 2024

Safeguarding personal data and demonstrating compliance no longer has to be quite as hard. 

We’re excited to introduce our processing activity discovery feature that uses Privado Code Scan and generative AI to automatically identify and document all processing activities.

Privado now enables privacy teams to complete privacy assessments like RoPA without support from product or engineering teams. 

Why data processing activities are so important

According to article 30 of the General Data Protection Regulation (GDPR), all processors and controllers of personal data must regularly maintain a live Record of Processing Activities or RoPA. RoPAs require privacy teams to list each processing activity, identify what categories of data are being used, and describe the purpose of each activity. 

To maintain compliance, privacy teams typically ask product and engineering teams to complete questionnaires documenting each activity personal data is being used for. This means engineers have to stop coding and answer complex privacy questions they’re likely not trained to answer. 

Because the questionnaires require engineers to spend many hours manually reviewing code and databases, privacy teams typically have to wait 12-18 months to complete RoPA reports. In addition, privacy teams must manually review questionnaires and continually follow up with engineers to complete missing questionnaires or clarify past responses. 

When over 42% of engineers release software at least once a month and over 69% release at least once every six months, most RoPA reports are out-of-date before they’re even done. In addition, the inexact process of relying on human judgement commonly leads to reports with missing or inaccurate information. 

Despite countless hours of effort to prove compliance, many companies submit inaccurate RoPA reports that open themselves up to GDPR fines that can seriously damage their brand and their bottom line.

The current approach for RoPAs is a bit like watching your dog chase squirrels. No matter how hard they try, they don’t stand a chance.

Privacy code scanning + generative AI = automated RoPAs

Before this release, Privado privacy code scanning pre-filled and self-updated key portions of RoPA reports, including the data categories, data transfers, and data processors. By leveraging generative AI, Privado can now automate RoPA reports to the point that engineers no longer have to be involved. 

To achieve this, the Privado engineering team fine tuned a large language model (LLM) specifically to solve this problem. This LLM can identify all processing activities from Privado code scans and write detailed descriptions of how data is used for each activity.

Now customers can instantly see how every code repository is processing personal data and for what purpose. Instead of waiting months for engineers to complete questionnaires, RoPAs can be completed in a matter of days and will automatically stay up-to-date. 

Instead of waiting months for engineers to complete questionnaires, GDPR RoPA reports can now be completed in a matter of days.

For example, Privado scanned Shopizer, a popular open source headless commerce solution for ecommerce websites, and automatically generated the following processing activities.

Privado feeds the autogenerated processing activities into privacy assessments within Privado or other tools, enabling reports like RoPA reports to be completed with only minimal manual effort from privacy teams. 

In addition to automating privacy assessments, Privacy teams can now use these self-updating tables of processing activities to immediately identify privacy risks. The processing activities are segmented by code repository, so privacy teams can easily communicate to engineering teams where the risks lie and how they should be addressed. 

Start automating processing activity discovery

Automated processing activity discovery is available to all Privado customers at no additional cost. Contact your customer success manager or our sales team to learn more and get one step closer to fully bridging the Privacy Engineering Gap.

RoPA automation
Posted by
Ben Werner
in
Product Updates
on
March 28, 2024

Ben leads product marketing at Privado

Subscribe to our email list

Thank you for subscribing, we have sent a confirmation email to your inbox.
Oops! Something went wrong while submitting the form.