Back to Blog

Completing the RoPA report: how NOT to get lost in the data jungle


Completing a Record of Processing Activities (RoPA) report is one of the many tasks that a Data Privacy Officer (DPO) has to face, but it’s one that is extremely demanding. Many data privacy regulations, including GDPR, require companies that work with data to complete a RoPA (Record of Processing Activities). 


It’s vital to complete a RoPA correctly and to keep it updated in order to comply with data privacy regulations. But it’s usually very tough for DPOs to achieve, and requires a great deal of time and effort. What is it about RoPAs that make them so frustrating for DPOs, and how can you ease these challenges?


What is a RoPA?


A RoPA is a report that holds information about the data your company uses. It includes details about the purpose of the data, data types, data subject entities, and more. You need to update it whenever your data collection or usage changes, like if you start collecting more data than previously, or if your software functionality increases to do more tasks with the same data. 


The pivot of the RoPA report is always the purpose for the data processing, which could be recruitment, payroll, anti-fraud verification, etc. The remaining items cover details about the data and processes used for that purpose, such as the entity, data classification category, third party vendors, etc. These can be tracked in an excel spreadsheet or any other method that documents the RoPAs in a standardized way. 


Regulators can ask to see your RoPA report at any time, and if your company experiences a data breach, the RoPA is an important part of proving that you took reasonable steps to protect your data. 



Why is the RoPA report such a challenge?


There are four main reasons why it’s so difficult for DPOs to complete RoPA reports satisfactorily.


1. You have to find a massive amount of information for RoPAs

Each RoPA report contains enormous amounts of information, and the DPO has to find it all. You’ll need a new row for every data processing purpose, and each row has some 20-30 columns covering elements like the type of data that’s collected, the entity of the data subject, who the data controller is, and more. 


For example, software for managing schools might process data for purposes that include payroll for teachers, tracking grades for students, contacting a student’s parent or guardian, and many more. Each purpose would need a row, and the DPO would have to find the information for each column of that row.


Even a small or medium sized company could have a RoPA comprising 10-20 rows, so larger enterprises would need exponentially more. That means 10, 20, 50, or more conversations with different people to learn all the information needed to complete the report. 


2. You have to search through many repositories

The information needed is contained within your company’s data repositories, and again, even a small company could have dozens of repositories. This adds significantly to the amount of data you’ll have to hunt though. 

3. You’ll have to run numerous searches

There’s no guarantee that each repository has a single purpose, which only adds to the burden. It’s likely that the DPO will need to comb through every repository several times, each time to address a different purpose. 

4. You’re going in blind

Many DPOs are external, and therefore know very little about the company’s data use. Even internal DPOs are often quite removed from the actual data usage. Before they can begin to complete the RoPA, they need to find out who has knowledge about the contents of the code. A new DPO won’t be familiar with team leaders, so they might start by talking to the R&D manager. But most R&D managers don’t write the code, so they won’t be able to help. It could take months just to discover who owns the code and is familiar with its contents. 


Once the DPO finds the right person to talk to, they need to ask the right questions. This can be challenging in and of itself, because they might not know what the software does, let alone what data processing tasks it performs or the purpose for those tasks. It could take several conversations before the DPO knows what inquiries to make. 


Finally, the DPO relies entirely on the developer or software engineer’s answers. Hopefully, whoever they talk to understands the basics of data privacy and knows what is considered personal data. If not, they might not give relevant or full answers. And the stakes are high: if you don’t complete the RoPA correctly, you’ll be in breach of your data privacy obligations.

What do existing RoPA solutions have to offer?


The existing RoPA solutions offer their users templates with fixed formats that the users need to fill manually using predefined dropdown lists. This approach might be found to be challenging for privacy practitioners as by nature, the lists are limited, fixed and may not contain the data relevant to the repository they are reviewing. 


Even if the fixed list does contain the data, the privacy practitioner, who has no visibility to the code, will need to ask the relevant person in R&D for further details to be able to fill the reports (for example : who are the entities that their data is processed by the code? What is the processing purpose ? etc.) adding additional dependency to an already complex process.


It doesn’t help that RoPA reports can be produced in many formats. If you use a tool that has a different format than what you use, you’ll need to rename and re-organize whatever information you selected on the dropdown list when you paste it into your Excel sheet.


How AI  can help Privacy leaders with RoPAs


Privya offers a different solution that automatically scans all the code in all your application repositories, and uses AI to understand the purpose, what data is being processed, and more. Instead of dropdown lists and manual entry, Privya populates your RoPA with reliable answers to the most salient questions. 


Privya’s code scanning engine can deliver the following information: 

  • Why is the application processing this data (the data processing purpose)?
  • What data classifications are being used, such as credit card details, employee age, customer phone numbers?
  • Which entities are the data subjects, like employees, customers, students, account holders, etc?
  • Who is the data controller, so you know who to talk to about changes to the code?
  • Which third parties is the data shared with, and what role does each third party play?
  • Whether or not there is automated data profiling using AI
  • The name of the relevant repository
  • The exact location in the repository that the data is used


That means that even a new, external DPO with no prior knowledge about the company’s data processing activities can access vital information without having to run around finding the right person to talk to and working out what questions to ask. Although there are still more columns in the RoPA to complete, the DPO now knows who to talk to and what the purpose is of the data processing, which makes the rest of the process much faster and easier. 


Automation can end the nightmare of RoPA reports


It’s not yet possible to entirely automate RoPA reports, but Privya’s automated AI tool can go a long way to easing the burden for DPOs. With automated data discovery, DPOs can confidently fill in RoPA reports in much less time and with much more accuracy, which lowers your risk of failing to comply with data privacy regulations. 


Learn more about how Privya can support your RoPA efforts in a demo.

Yaniv Diner
Yaniv Diner

Director of Product Management

Scroll to Top