Start typing to search
  • Popular Searches
  • AI governance
  • Data privacy and the GDPR
  • PCI DSS
  • Cyber essentials
  • ISO 27001
  • SOC 2
Get a quote

Streamlining GDPR Compliance With ROPAs, Data Flow Maps and DPIAs

08 August 2024

Knowledge

CyberComply

Data Protection

Expert insight

GDPR

Privacy

Few people enjoy complex compliance – and GDPR (General Data Protection Regulation compliance can be both complex and documentation-heavy. A simple inquiry can generate a lot of work, for example, a data subject simply exercising their rights.

One way to streamline GDPR compliance is to make your ROPAs (records of processing activities) a focal point. Another is to look at your ROPAs together with data flow maps and DPIAs (data protection impact assessments).

We asked Andy Snow, a DPO (data protection officer) and data privacy trainer, to explain how to simplify and streamline GDPR compliance, using ROPAs as a starting point and moving on to data flow mapping and DPIAs.

In this interview

Records of processing activities

Previously, we discussed ROPAs. One practical tip you gave was to first list all processing activities before adding lots of data points. Another tip was to consider your ROPA a ‘one-stop shop’ – having all your information in one place. Could you elaborate?

ROPAs are a single place for you to understand your processing activities. And not just you – other stakeholders, too.

Suppose that the ICO [Information Commissioner’s Office] audits you. The first thing the regulator will likely ask for are your Article 30 ROPAs. If the ICO then wants to know, say, what lawful basis you’re relying on, they should be able to see it right there, in that ROPA.

Your ROPA should already have a column for lawful basis. Plus, if that lawful basis is legitimate interests, you could then add columns for:

  • A brief outline of that legitimate interest; and
  • A hyperlink to your LIA [legitimate interests assessment], proving the validity of that legitimate interest.

On the other hand, if your lawful basis is consent, you could also have a column that hyperlinks to evidence of that consent:

  • When and how did the data subject give their consent?
  • What information did you give them at the time?
  • What withdrawal mechanism do you use?
  • And so on.

The ROPA is a high-level summary that should provide an immediate overview of:

  • All your processing activities; and
  • All the risks associated with them.

 

What sort of risks are you referring to here? And how can a ROPA give an overview of them?

The risks the GDPR always focuses on – risks to the rights and freedoms of data subjects.

As to how a ROPA provides an overview – you should have columns that indicate:

  • How you’re processing and securing the personal data, using appropriate technical and organisational measures;
  • What Article 6 lawful basis you’re relying on and, for special category data, Article 9 exemption;
  • How you’re meeting the Article 5 data protection principles;
  • What data subject rights are applicable;
  • Whether international transfers are taking place, what mechanism you’re relying on to legally transfer personal data to a third country, and how you’re securing those transfers; and
  • The level of risk of the processing activity, and if the risk is high, that you’ve performed a DPIA, with a link to that assessment.

The GDPR doesn’t require you to include all this in your ROPA, but this list does reflect the Regulation’s requirements, and it provides a convenient means of showing that you’re complying with them.

Collecting this data in your ROPA also gives a simple, clear overview of these data points, which in turn gives you a much clearer picture of your risks.

Data flow mapping

Let’s dig into what you said about “how you’re processing and securing the personal data”. What would that look like in a ROPA?

You’d have a group of columns in your ROPA that look something like this:

You can also add columns for implemented security measures, including information on encryption. For instance, you might have a drop-down menu with items like:

  • Pseudonymisation
  • Anonymisation
  • Encryption
  • Plaintext

You could also add details on the specific encryption protocol, particularly if your organisation uses more than one.

 

And you then feed this information into a data flow map?

Correct, but a data flow map also takes things further. It visualises the data flows, so you can easily see:

  • Which departments are using what data; and
  • The risks your data might be subject to.

For example, if your data flow map shows you’re storing a lot of personal data in Cloud-based databases, have you implemented appropriate access control?

The nature of the Cloud is that you can access it from anywhere with an Internet connection, so restricting access is vital, particularly if staff work remotely. If your employees are also based internationally, ensure you’re meeting local laws as well as the UK GDPR requirements.

Another thing to pay attention to is configurations – you really don’t want to inadvertently make your database publicly available, so did you configure it properly?

 

So, your data flow maps help organisations secure their personal data?

Yes. Because data flow maps show you where you’re storing, processing and transmitting personal data, they give a clear idea of where your security risks are. And

They also clearly show who’s using the data, and that tells you who to talk to in order to better understand and address those risks. This mapping exercise will highlight data you might be collecting but not using, in which case you should destroy it to:

  • Meet your GDPR requirements [e.g. the data minimisation principle];
  • Reduce the risks [the impact of a data breach]; and
  • Save you money [storage costs].

Want to learn more about how to create a data flow map?
Our free paper Data Flow Mapping Under the GDPR gives detailed information on what to include, mapping techniques, workflow inputs and outputs, and a step by step on how to map your data.
Download now

 

Data protection impact assessment

You previously suggested using ROPAs in conjunction with tools like DPIAs, and that  detailed ROPAs  help you conduct DPIAs and risk assessments further down the line. Could you elaborate?

I see all three – ROPAs, data flow maps and DPIAs – as tools to help you understand your processing activities.

I don’t look at the ROPAs in isolation: all  three  together enable you to demonstrate accountability and compliance with Article 30.

But the focus of each tool is different, of course. For instance, DPIAs revolve around risk – the idea is that you only need to conduct a DPIA if the processing presents a high risk to the rights and freedoms of data subjects.* Which you then look to address, to reduce that risk to an acceptable level.

*It’s also worth checking Article 35(3) of the GDPR for specific examples that constitute high-risk processing, as well as the list of examples on the ICO website and the Article 29 Working Party guidelines (endorsed by the EDPB).

 

How can organisations track their risks?

Specific to risks relevant to the GDPR, again, you can create a group of columns in your ROPA to track key data points. If you don’t feel comfortable with spreadsheets, an automation tool can help by providing a template that you work within. In a spreadsheet, this might look something like this:

Depending on your needs, you may want to use slightly different columns, but I recommend tracking your risks in your ROPAs, as this takes advantage of the fact you’ve listed out all your processing activities. In effect, those records are your asset register – a key element to an asset-based risk assessment, which is a skill that’s fundamental to data protection, privacy and information security management

You can further simplify things by colour-coding your risks to highlight those that require further action. You can also use Excel formulas to automate certain columns, or even use dedicated software to fully automate the process and save you a lot of time, as well as the risk of not saving your work and having to start all over again.

Bringing together ROPAs, data flow mapping and DPIAs

Let’s wrap things up. Where do organisations begin with GDPR compliance?

With their ROPAs. If you don’t have a clear overview of your processing activities, it becomes virtually impossible to meet your other legal requirements.

It’s akin to implementing cyber security without a risk assessment – if you don’t know what your threats and vulnerabilities are, you can’t implement cyber defences effectively.

Compiling your ROPAs tells you what personal data you’re processing, along with how, why, when and by whom. Just those basics make for a decent start to compliance.

In time, you can add columns and data points not listed in Article 30 but that are mentioned elsewhere in the GDPR. If creating your ROPAs is becoming complex, there are guides, software and consultancy that can support this project.  You can also reflect good practice, for example by including data flow maps. These include information about DPIAs, as well as information about lawful basis, applicable data subject rights, and so on. Take GDPR compliance one step at a time, using your ROPAs as your base.

About Andrew Snow

Andrew ‘Andy’ Snow is a GDPR DPO with extensive public- and private-sector experience in regulatory compliance, privacy compliance framework development, and other areas relating to data protection.

He’s also an enthusiastic data privacy and cyber security trainer, consistently receiving high praise from course attendees – in particular, for his engaging delivery style and plethora of real-life examples.

Previously, we’ve interviewed him about GDPR ROPAs, GDPR Article 28 contracts and the UK–US ‘data bridge’ (Data Privacy Framework).

 

We hope you enjoyed this edition of our ‘Expert Insight’ series. You can explore our full index of interviews here.

Back to resources