Book FREE Consultation

URM is pleased to provide a FREE 30 minute consultation on GDPR for any UK-based organisation. Once an enquiry form has been submitted, we will be in touch to understand the nature of your enquiry and to book a mutually convenient time for a 30-minute consultation slot with one of URM’s specialists.

Records of Processing Activities

Pragmatic and tailored approach to GDPR compliance

FREE GDPR Compliance Review

High-level review of your GDPR compliance position.

Offer is valid until

29/8/2024

Find out more

Records of Processing Activities (ROPAs)

The UK GDPR is a risk-based law.  The Regulation is peppered with provisions which require organisations to assess the risk involved in their processing activities and to adopt ways of mitigating or eliminating those risks: e.g., determining ‘appropriate’ technical and organisational measures (TOMs) to protect personal data proportionate to the risk of the processing, which the Articles of the UK GDPR require in several places.  One of the best initial tools for identifying data risk in an organisation’s processing, i.e., its Record of Processing Activities (or ROPA), is often incomplete or even absent, despite it being a statutory requirement (for the vast majority of organisations) under Article 30 (there is an exemption in Art. 30 paragraph 5, but it is so limited as to be practically irrelevant for most businesses).

A Record of Processing Activities is, as the name implies, simply a written document (often set out in spreadsheet format) which records all the activities, or processes, which an organisation engages in which involve personal data.  The UK GDPR’s Article 30 sets out the minimum information which every ROPA must contain (with the ROPAs of data controllers requiring slightly more detail than those of processors), but the Information Commissioner’s Office (ICO) will expect to see more than the ‘bare minimum’ in each case.  Although the ICO website includes a template ROPA spreadsheet, around 30 columns in width, with each column heading containing a question or point, most modern ROPAs are broader than this and have more columns/queries/aspects.  These are becoming more complex all the time – as more US states pass their own privacy laws with extraterritorial effect, for example.

In URM’s opinion, a ROPA should be front and centre of any controller’s DP compliance effort.  And once the heavy lifting of populating it is out of the way, it is just a question of maintaining it and keeping it up to date.  It then becomes the ‘gift that keeps on giving’ - identifying not just the risky processing, but also the mitigating steps that can be taken to control those risks (learn more how your organisation’s ROPA informs and interacts with its other main data risk management tool, its Data Protection Impact Assessment or DPIA), and the mandatory lawful basis for each process which your organisation engages in.  It can also help you identify your data retention periods, any transfers outside the UK or EU (for example to cloud processors) which might need additional safeguards, what processes need to be communicated to the data subjects on your organisation’s privacy notices, and much more.  It’s an invaluable document and, as mentioned, unless your organisation is unusual enough to qualify for the very restricted Art. 30.5 exemption, not only is it legally compulsory, but the ICO can also ask to see your ROPA at any time.

URM has helped a number of organisations develop their ROPAs and, once developed, can help you identify not just the risky processing, but also the mitigating steps that can be taken to control those risks.  It’s worth remembering that the ROPA will be one of the first compliance documents requested by the regulator in the event of a data breach.

Get in touch

Please note, we can only process business email addresses.

Why URM?

Track record

URM’s DP and GDPR consultants have extensive ‘real world’ experience as both practitioners and subject matter experts working at a senior level within business and in their data protection consulting roles advising organisations on best practice.  With a 19-year track record assisting organisations to comply with legislation such as the Data Protection Act, the GDPR, the Privacy and Electronic Communications (‘PEC’) Regulations and local country-specific legislation, URM has earned a reputation for adopting a pragmatic and business appropriate approach.

Flexible service offerings

A key differentiator between URM and other data protection service providers is our flexible service offerings.  Our virtual DPO service can be customised to your precise requirements, in terms of the type of support you require and the frequency of support days (remote or on site) etc. Equally, with our remediation support, URM can assist you to address any gaps identified and achieve full GDPR and other legal compliance. We can also help you maintain that compliance through our GDPR auditing services.

Knowledge transfer

URM prides itself on its knowledge transfer philosophy and training expertise which help to ensure that you not only understand what the principles and requirements of the data protection legislation are but also how best to meet them.

Information Security FAQ

Are You Getting Cookies Compliance Wrong?

Published on
6/12/2024

URM’s blog discusses the GDPR and PECR requirements on cookies, common noncompliant practices & how you can ensure your approach to cookies is compliant.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
22/11/2024
Updated Data Protection Laws Introduced by Chile and India

URM’s blog explores the different requirements introduced by these new laws, and the likelihood of a subsequent UK/EU adequacy decision for each nation.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
31/10/2024
DUA Bill: An Initial Assessment

URM’s blog compares the Government’s new Data (Use and Access) Bill with the previous Government’s DPDI Bill, & how it may alter the UK GDPR when it is passed.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
27/9/2024
Data Protection Considerations for Monitoring Employees

URM’s blog offers key advice and detailed guidance on how to balance your organisation’s needs with GDPR compliance as you perform workplace monitoring.

Read more
"
I Have been very impressed with the delivery of both the ISO 42001 webinar and last weeks 27001 and will certainly keep URM in mind with regard to any services in the future.
Webinar Attendee
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.