A ROPA is a legally required document that details all of a company's data processing processes. It specifies what personal data is processed, for what purpose, who is involved and what safeguards are in place. Companies must maintain this in accordance with the General Data Protection Regulation (GDPR).
Under the GDPR, almost all companies that process personal data must have a data protection policy. There are exceptions for companies with fewer than 250 employees, unless the data processing is not occasional, involves sensitive data or poses a risk to individuals' rights and freedoms.
The ROPA must contain detailed information on the following points:
- The purpose of the processing
- Categories of data subjects and data
- Recipients of the data (internal and external)
- Transfers to third countries or international organisations
- Deletion periods for the different categories of data
- Description of technical and organisational security measures
A ROPA is created in four steps:
- Identify all data processing operations
- Gathering and recording relevant information about these processes
- Structured documentation of the information
- Regular updating of the ROPA in the event of changes to the processing procedures
Failure to have a ROPA can have serious legal consequences. Data protection authorities can impose heavy fines in the event of an audit or incident. In addition, the organisation loses visibility of its data processing operations, increasing the risk of data breaches.