¶ Record of Processing Activities (ROPA)
The Record of Processing Activities (ROPA) is a detailed, permanent, immutable and auditable record which outlines the data processing activities carried out by an organisation. It includes information about the types of personal data processed, the purposes of the processing, the categories of data subjects involved, the recipients of the data, data transfers to third countries, and the security measures in place.
¶ Context
¶ Background
Maintaining a ROPA helps organisations demonstrate compliance with the GDPR's accountability principle (and specifically with Art. 30 of the GDPR), which requires organisations to be able to demonstrate how they comply with data protection principles. It serves as a tool for organisations to have an overview of their data processing activities and to ensure transparency and accountability in the handling of personal data.
¶ How is a ROPA entry different from a regular PA saved in SENTINEL?
In SENTINEL, a ROPA entry is a "snapshots" of a Processing Activity. When you are satisfied that the PA you are editing depicts the actual, real-life data processing in your organisation, you may choose to "permanently commit' it to the ROPA, with a timestamp and version, so a, so-to-speak "permanent" entry is created to be reviewed or edited at any point later in time.
ROPA are immutable, i.e. entries may not be altered or deleted once committed to the ROPA.
ROPA entries are also versioned. This means that if you make a modification in a PA and try to commit it again, it will not overwrite the existing ROPA entry, but create a new version instead. Older ROPA versions of the PA may be browsed and viewed normally in the SENTINEL ROPA interface.
By contrast, regular PAs are not intended for compliance purposes and may be edited, deleted etc. at will.
- See also:
Record of Processing Activities
¶ Procedure
¶ Creating a ROPA entry / committing a PA to the ROPA
- Click "Data Protection > Processing Activities" on the Main Menu, and edit the PA of your choice.
- When editing a regular processing activity, click on the "Commit to ROPA" button in the top of the page to permanently commit this PA to the ROPA.
- Read the disclaimer text i nthe confirmatory dialog and click OK if you agree.
- A permanent copy of the PA is now created in the ROPA.
¶ Viewing a ROPA entry
- Click "Data Protection > Processing Activities" on the Main Menu
- Scroll to the second part of the page called “ROPA your permanent record”, where you can see the full list of the permanent recorded processing activities.
- Select one to view the details.
- Note that you may browse EARLIER versions of this ROPA entry if they exist, using the "Previous versions" section at the boottom of the left sidebar:
¶ Exporting a ROPA entry
Click on the 'Export' button to download an offline PDF copy of the CURRENT ROPA ENTRY VERSION.
¶ Marking a PA in the ROPA as inactive
Click on the 'Mark as inactive' button to mark the CURRENT ROPA ENTRY VERSION as inactive.
This functionality (currrently under development) is used when your organisation no longer performs this specific PA in the real world, and you need to mark it as such in SENTINEL, so that an audit process might take it into account. PAs marked as inactive in the ROPA may not have newer versions saved, but older versions are still browsable, viewable and exportable.
¶ Prerequisites
(required) Having created at least one complete Processing Activity before it may be committed to the ROPA.
Previous topic: View-PA
Next topic: GDPR-assessment