Creating and maintaining a ROPA (Record of Processing Activities) is essential for data protection and privacy compliance in a medium to larger-sized company. The ROPA is the core of any compliance documentation. It documents the central processes within your organization regarding the processing of personal data. Essentially, it is a data flow analysis from a legal perspective.
Personal data flows through interfaces, so-called data collection points. For example, a data collection point could be your website with a contact form, your mail server where you receive emails or a particular trade show where you engage with potential prospects or customers. For each of these data collection points, it is necessary to evaluate whether it needs to show data protection notices on the rights and liberties of the individual data subject.
Therefore, this is one of the starting points for a ROPA and the data flow it contains. Once the data enters your organization, it is used in various processes linked to systems. These processes have a general description explaining what they do. The description includes the persons who are involved in that process. Depending on the organization’s structure, departments or teams handle the data within a process.
The process documentation also includes the external parties you directly share the information with and who don’t use any application or system. There are two ways of transferring data: A direct transfer would be to send an Excel table with potential prospects to a marketing agency. The second way is through a system; for example, you could have an HR system in place which sends specific HR files or HR information to the provider of the SaaS HR solution.
Both cases are transfers to data processors or controllers. This vendor has to be assessed, and the necessary contracts need to be in place.
Information flows into your organization, processes, various departments, and systems and from there to the data processors or controllers. At the end of the data lifecycles, there are deletion and retention periods defined for the information processed and the systems involved. Using data deletion and retention schedules available in the Priverion platform, makes it easy for the system administrators to maintain the records and implement necessary processes either manually or automatically to delete or retain certain information.
The last step of the data flow is deleting or anonymizing the data. All of this together constitutes the documentation of a processing activity.
Now there is one necessary point left: the risk analysis for this processing activity. The risk analysis considers the likelihood of certain threats occurring and the amount of damage that results from exploiting a vulnerability.
For example, manipulating the data within an HR file might have some financial or reputational impact but no health impact. In comparison, the manipulation of some values in an insulin pump in a hospital would result in very high damage.
These cases must be evaluated to assess risk in these two dimensions of likelihood and amount of damage and within the various sub-dimensions of likelihoods and threat categories.
A determining factor of the likelihood and the amount of the damage is the technical and organizational measures that are applied within that process. For example, the encryption of the data in transit and at rest can even eliminate the damage that a data breach or hacking of the database would cause, as the attacker would only have access to encrypted data. Therefore, the potential damage would be minimal.
This risk assessment is usually carried out within a team, as individuals have a particular perspective or a specific perception of certain risks and likelihoods. Therefore, we highly recommend doing this with the process owner, a data protection officer or a data protection expert, and somebody from the organization’s information security or IT. These three or four people can best assess the risks related to the person affected by that processing and find a consensus or averaging the likelihood and damaged dimensions.
In summary, before starting with the record of processing activities or the risk determination, the organization has to define specific parameters regarding the likelihood and damage. An organization must determine what a small, medium, high, or very high likelihood is for them in this particular assessment. It could occur once a year, monthly, daily, hourly, or every minute. This has to be standardized and written down in a policy so that every employee conducting such an assessment knows the underlying values. The same goes for the amount of damage. When is the amount of damage high regarding the data subject, and when is it low?
Usually, organizations have tables that define what is high damage for them from an information security standpoint. While 100,000 euros could be high damage for some organizations, it’s 100 million euros for others. However, the evaluation must consider the individual data subject and not the organization. In the ROPA, only damages for the data subject are relevant. Here, the average data subject in the processing context is the baseline, and their damages must be evaluated. A loss of 10,000 euros or damage to health or reputation can be significant for an average person, even if the sums from the organization’s perspective are low.
Suppose the assessment results conclude a high risk to the affected individual. In that case, additional technical and organizational measures that depend on the applicable law must be taken to protect the data subject from the identified harm.
Here proportionality is important. The implementation of specific measures which exceed a significant amount might not be proportional to the amount of damage that might be inflicted. In this case, the measure may not be feasible, but there may be alternatives that do not cost as much but can achieve a similar goal.
It is important to note that this high-level evaluation is shorter than a data privacy impact assessment and done from a general risk perspective that enables pragmatic decisions, particularly for special standard situations.
A data privacy impact assessment goes into more detail, looks at more technical and organizational measures, and includes an interview process of the affected stakeholders or a feedback process to the underlying processing activity being evaluated.