Automating GDPR Recording of Processing Activities (ROPA)

The goal of GDPR Article 30 is to enhance transparency and accountability in data processing by mandating stringent documentation in the form of a “Record of Processing Activities” (ROPA). Under Article 30, data controllers and processors must document a substantial amount of information on the use personal data, including:

• Categories of personal data collected
• The purpose for collection and processing
• Third parties with whom personal data is shared and why
• Retention and deletion policies

The most common way organizations handle compliance is to gather this information with manual surveys and interviews. Addressing the requirements of Article 30 manually has at least two fatal flaws.

First, as data is spread across the organization, identifying the data owners and the business processes can be difficult and time-consuming. Even if the appropriate owners are identified and de-conflicted, this method relies on human knowledge and memory. Unless 100% of the data owners are appropriately identified, and those data owners understand 100% of the data that is collected, for what purposes, and to whom it is shared, the ROPA will fail to accurately document how personal data is handled. In the recent FTC vs. GoodRX enforcement action, an internal email from their CTO just prior to their IPO that stated:

“We need to strengthen our policies and procedures to ensure that we are consistent about what data we share to whom.” And acknowledged, “What we do not have is the data we are sharing by partner along with its business purpose.”

The GoodRX pattern is the norm rather than the exception given the complexity of modern architectures and the historical lack of tooling to understand how data flows and for what purpose.

The second problem with manual surveys and questionnaires is that they become outdated as soon as they are complete. This means that as soon as a new element of personal data is shared with a current partner, or an existing element is shared with a new third party, the completed ROPA is outdated and inaccurate. The only approaches to these flaws are to complete ROPAs on a cadence knowing that the times between ROPAs will be inaccurate, or to implement a “continuous” ROPA effort.

A better approach to regulatory requirements is to start with first principles. This means understanding the purpose of the regulation, solving for that purpose, and then backing into how compliance with the regulation can be met. In the case of Article 30, the documentation itself was never the goal. Instead, regulators smartly understood that documentation requirements force organizations to try and understand their data ecosystem. In essence, ROPAs are a strategic catalyst that pushes organizations to scrutinize the intricacies of their data collection, processing, sharing, and storage with an eye on safeguarding individual privacy and fostering responsible data governance.

With this overarching goal in mind, what then is the appropriate tooling to ensure that as personal data is collected, it is only used and shared for valid purposes? Meeting this obligation requires a new piece of infrastructure — a “system of record for data context.” This system of record must capture knowledge about where data came from, why you have it, and ultimately what you can do with it. With this knowledge, manually processes can be replaced with real-time and automated policy enforcement to ensure that as data is used and shared it’s done so compliantly in line with a valid purpose.

With a system of record for data context and automated policy enforcement in place, it becomes possible to use this knowledge to enable real-time audits that automate the Article 30 requirements. Privacy professionals and auditors can be given access to a BI tool that shows in real-time the rules that were in place, how personal data has been used and shared, and the details of policy decisions that lead to permitted and denied use and sharing.

With this level of automation, privacy professionals can stop chasing data owners and reporting, and focus on the more strategic privacy initiatives like growing trust in the business.

At Tranquil Data, we have built the first system of record for data context described above. It captures all versions of policies, connects those to metadata about data across services, and relates this to knowledge about personal data and relationships over time. The result is a graph dataset that speaks with integrity to the context of where data came from, why you have it, and what you may do with it. This knowledge is input to real-time, policy-driven enforcement within the data platform, providing a transparent ROPA that proves correct use in real-time.

If automating proper use and sharing of personal data and Records of Processing Activities is of interest we would love to talk: info@tranquildata.com