GDPR: How do I create a register of processing activities?

Since the General Data Protection Regulation (GDPR) introduction in 2018, companies have had to adapt to many innovations in data protection. That includes the introduction of a register of processing activities (ROPA). It is one of the most important documents a company must create to comply with data protection requirements and meet the accountability obligation from Article 5 of the GDPR.

The GDPR requires companies to maintain written documentation and an overview of all automated or manual processes involving personal data processing (Art. 30 GDPR). But what is behind this, and who must keep such a directory? To what do you have to pay attention? We will show you what a register of processing activities must look like and provide helpful tips for a GDPR-compliant implementation!

Do you need support or have questions about the topic of a processing directory? Our team consisting of experts in data protection law, IT, and security, will be happy to support you in implementing data protection regulations. Contact us directly for a no-obligation initial consultation.

The most important facts in brief

• As a rule, companies must keep a register of processing activities.
• Creating one involves much effort initially, but it facilitates handling personal data in the company in the long run. The register provides a comprehensive overview of the processing of personal data and individual processing operations.
• Such a register also facilitates risk analysis and evaluation of the individual processes, as each one is broken down in detail.
• Special care must be taken when transferring personal data to a third country to avoid violating legal regulations. Here, too, a processing register helps, as it shows which processes pose a significant risk.

Record of processing activities

Art. 30 GDPR obliges to keep written (also in electronic format) documentation and overviews of all processes that work with personal data. That means that every processing of sensitive data must be listed and itemized in this register.

In addition, essential details of the data processing must be documented there, such as processing categories, the data subjects, the purpose of the processing, and the categories of recipients.

This processing register also serves for inspection by the competent supervisory authority. The relevant processing operations must be made available to it upon request. For companies, it makes sense to create and maintain such a register with great care to demonstrate that good data protection management is in place.

Otherwise, there is always a risk that conflicts will arise with the supervisory authority, or the company will even be prosecuted for violating the data protection guidelines.

Who must keep a register of processing activities? 

Every company that employs more than 250 people must maintain such a register. In addition, there are the following exceptions that also oblige companies with less than 250 employees to keep a processing directory:

1. the processing involves risks to the rights and freedoms of data subjects.
2. the company carries out regular processing operations.
3. the processing involves special categories of data such as health data, information on religion, or political opinions.

Good to know: Almost always, one of these exceptions applies. If only because most companies keep a personnel file in which very personal data of employees is stored, modified, or deleted regularly. As a result, almost every company must maintain such a register. 

What are the penalties for not maintaining a register of processing activities?

If the supervisory authority cannot be provided with a ROPA upon request because the company does not maintain one, it will first ask why. In case of doubt, the company will have a different opinion on whether it falls within the obligation to retain a register. The consequence, in some cases, is a costly and lengthy legal dispute.

In most cases, the authority will require the company to maintain a processing register. In the event of a violation of this requirement or if it is evident that a register had to be kept, not inconsiderable fines are threatened, but criminal convictions are also possible. These are measured by the turnover of the respective company and should not be underestimated.

Sometimes, the authority allows companies to submit a register of processing activities within usually 2-3 weeks.

Good to know: You should never rely on the goodwill of authorities with your company. It is, therefore, advisable to avoid a dispute and create a ROPA immediately.

Who has access to the register of processing activities?

Such a register of processing activities is not public, so there is no threat of disclosure through the transmission of company and trade secrets. The directory is not accessible to everyone. Even data subjects, which in principle have the right to request information about the use of their data, do not have access to this record. It does not have to be made accessible to them either.

Only the data protection officers, who are also involved in drawing up the list of processing activities and the company’s executive board and management, are allowed to inspect it. In addition, as already mentioned, the competent supervisory authority must be provided with the register of processing activities upon request.

Record of processing activities according to the GDPR

Almost all companies must maintain a register of processing activities, as prescribed by the legislator in the GDPR. This directory is not new; already, in the previously applicable federal regulation – the Federal Data Protection Act (BDSG) – a processing record was required.

The new register with some changes replaces the previous procedure directory. The term processing activities, according to Art. 30 GDPR is to be understood broadly: It includes any use, such as collecting, storing, deleting, modifying, merging, reading out, comparing, or also passing on personal data. All processes in which personal data play a role must therefore be mentioned and listed in the processing register.

In such a register, different details must be provided, such as the categories of processing, the contact details of the data controller and the data protection officer, the group of data subjects, the purpose of the processing, and the respective recipients of the data (insofar as they are not processed internally).

Ideally, information on the technical and organizational measures (TOM) is also included. Furthermore, the deletion periods should also be added to clarify the whole thing and comply with the legal retention periods.

Such a register ensures that it is recorded which processing activities exist in a company. That is important for the supervisory authorities in their inspections and provides information within the company about which processes are carried out. It gives a better overview of where which processing operations are taking place and whether they can be optimized or, in case of doubt, even reduced to counter significant risks of data protection mishaps.

If the exact data processing structures are evident, good data protection management can be based on this. Carefully compiled, such a register only means additional effort in the short term. In the long run, it makes it easier for companies to comply with data protection and reduces risks.

Create a record of processing activities 

In principle, companies have a free hand in creating a register of processing activities. The GDPR does not provide a specific format or a template. One also looks in vain for a corresponding form.

Nevertheless, there are some requirements as to what should include such a register:

1. Cover sheet: the cover sheet must name the company in question, its contact details, and information on the data protection officer. It should also mention the exact data of the data controllers.
2. Main section: Here, the exact operations of the individual data processing procedures are listed, described, broken down, and analyzed. Documentation of the separate processes should also be maintained.
3. Technical and organizational measures (TOM): This is where building and IT security, regulations and work instructions for employees, company agreements, and other organizational measures that ensure the company’s data protection standard are listed. Since these organizational measures are usually documented separately, they can simply be attached to the processing directory.

What content must the actual register of processing activities have? 

Beyond the rough structure, some content requirements must be observed. These relate primarily to the main part of the directory, in which the individual processes are set out.

Each processing activity must be described in detail based on the following criteria:

1. purpose of processing: it must be apparent for what purpose the data is processed. For example, the personnel file or a patient register can be legitimate purposes. In addition, the person responsible for the processing should be named here (in the case of personnel files, for example, the employees of the HR department).
2. special categories of personal data: It is also essential to specify special categories of data. This is the type of data collected, e.g., first and last name, social security number, address, or similar.
3. data subjects: Furthermore, categories of data subjects must be determined, i.e., those whose data are processed here. For example, in the case of a personnel file, these are the employees, in a patient register, the patients.
4. data recipient: the recipient of the data should also be named. The recipient is anyone who can access and view the data after it has been processed. In the case of internal processes, this is the employees. If the data is passed on to external third parties, it is, for example, a tax consultant or a payroll office. It is irrelevant whether these persons actually view the collected data. The mere possibility is sufficient.
5. retention periods/deletion periods: Furthermore, the periods for the deletion of the personal data and the corresponding categories of processing must be noted. In the case of a personnel file, it is logical that it be kept until the individual employee leaves, similarly to patients or customers. For the deletion of data, the company should maintain a deletion concept to regulate what happens to data when the retention period has expired.

What is the role of the data protection officer?

It is important to note that, in principle, the management is responsible for creating the register. The data protection officer advises and supports the company or the management in all matters relating to data protection. That also includes the creation and management of the Register of Processing Activities.

First, the data protection officer should get a picture of all the company’s processes and gain an overview. The GDPR gives him the authority to do this. To record every process involving personal data, the DPO can contact the individual departments and have them explain how they handle personal data.

In doing so, data protection officers should ask for the following indications:

• Precisely what activities and processes take place?
• Which employees are entrusted with these tasks?
• What programs/software is used?
• Who provides the data?
• To whom is the data subsequently forwarded?

In addition, the data protection officer can ask the individual departments for active support in gathering and preparing information about the processes. It is not necessary to ask each employee individually; instead, it is sufficient if the departments internally prepare a summary of the activities and persons responsible and forward this to the data protection officer so that he can enter the collected information into the processing directory.

The aim of this information collection must be to obtain a detailed overview of the processing of special personal data in the company and to ensure the completeness of the ROPA.

To this end, it may also be helpful to seek the support of an external consultant and confer with them when drawing up a Register of Processing Activities. Our consultants, who specialize and have experience in this area, know what questions to ask, scrutinize existing processes, and are aware of problems that might otherwise go unnoticed.

Good to know: When you choose an external consultant, they are already onboarded and appropriately qualified. An objective and well-trained eye can make a difference when creating a Register of Processing Activities and reviewing data protection in the company.

Conclusion

Creating a Register of Processing Activities is time-consuming; a document length of 100 pages is not uncommon. The Priverion platform simplifies the creation and management. Once created, this document provides essential insights into data protection. In addition, many documents that will become part of a Register of Processing Activities already exist and just need to be inserted.

During the creation process, some errors and risks usually come to light that might never have been noticed. It is, therefore, an opportunity to scrutinize, check and, if necessary, properly “declutter” the company’s processing activities.

It allows processes to be optimized and brought up to date. In addition, companies subsequently know precisely which data is processed in their company and which is perhaps superfluous. In this way, the entire system can become more efficient.

So, in addition to fulfilling the legal obligation to maintain such a record, it offers many opportunities and possibilities. Lastly, companies develop a sensitivity for their processes and optimization possibilities in handling personal data.