ROPA in LGPD? Get to Know the Records of Processing Activities

The LGPD - General Data Protection Law brought with it several acronyms and specific terms. Many of them imported from other countries and legislations. One of them is ROPA (Record Of Processing Activities), adapted in Brazil to Registros das Atividades de Tratamento. An essential document for any DPO, Data Processor.

If you work in the field or are in the process of adapting your company, this article was made to help you better understand this document.

ROPA (Record Of Processing Activities), is nothing more than a document that organizes the company's official records about:

• How data collection is done, its processes, and activities;
• What is done with the data, if there is any processing or sharing;
• How data is deleted, if applicable.

In other words, the essential questions and answers in case of consultation by the ANPD - National Data Protection Authority, to your company. Below, we'll discuss each of these points in more detail.

It's worth noting that all documents and processes mapped by the company's Data Processor are "living," constantly being updated and changed. A new process created in department X can change the ROPA, the Privacy Policy, and many other controls.

So, regardless of the size of your company, documents should always reflect reality and be constantly updated.

Smaller companies may not feel the need or complexity of keeping these "Mapping of flows" updated, after all, everything is smaller and involves fewer people. Now, for a larger company, there are already software solutions that help with this control in a more automated way, such as LGPDNOW, for example.

ROPA (Record Of Processing Activities), translated by the Brazilian market to Records of Processing Activities, is an official document of companies, generated by a system or not, that records all flows, processing, and activities involving personal data.

In it, mainly list all the purposes and reasons why the company needs that data(s) for its operation, legal basis (Legal Basis), security criteria, data storage/retention period.

The easy answer is: it depends.

Data Mapping or Data Inventory functions as a visual map of the flow of personal data within the Data Controller, bringing much more than ROPA, such as system and international transfer maps, ISO compliance parameters, NIST, among others.

On the other hand, ROPA focuses on activities involving data processing. In a more structured company, it may happen that a Data Mapping contains some ROPAs as part of it.

In any case, recording activities is an essential part of both documents. The perspective and methodology applied in each can be their differential.

According to the ICO (Information Commissioner’s Office), a ROPA must include at least:

• Name and contact details of your organization, whether it's a controller or a processor (and where applicable, the joint controller, its representative, and the DPO);
• The purposes of processing;
• A description of the categories of individuals and personal data;
• Categories of recipients of personal data;
• Details of transfers to third countries, including a record of the safeguards in place for the transfer mechanism;
• Retention/storage times;
• A description of the technical and organizational security measures in place.
• If you have an internal record of all processing activities carried out by any processor on behalf of your organization.

### Questions the ROPA Should Answer:

• Have you considered the effectiveness of your accountability measures?
• Would staff say you have effective processes to keep the record up-to-date, accurate, and ensure data is minimized?
• Could staff explain their responsibilities and how they carry them out in practice?

Also, according to the ICO (Information Commissioner’s Office), ROPA also includes or links to documentation covering:

• Information needed for privacy banners, such as the legal basis for processing and the source of personal data;
• Consent records;
• Controller-processor contracts;
• The location of personal data;
• DPIA reports;
• Records of personal data breaches;
• Information needed for processing special category data or criminal conviction and offense data under the Data Protection Act 2018 (DPA 2018); and
• Retention and deletion policy documents.

Questioning for the creation of your ROPA:

• Have you considered the effectiveness of your accountability measures?
• Do staff understand how to access other relevant documents linked to the ROPA?
• Is it easy for staff to access relevant documentation from the ROPA?
• Could staff explain this process and how it impacts their role?

A good example for those starting out or with a smaller company is to use spreadsheets for this control and organization.

In addition, on the gov.br website, there are various guides and templates to help you comply with LGPD.

For larger companies that need to structure these processes better, a privacy management and data mapping platform can be very helpful!

That's why we recommend that you schedule a meeting with the LGPDNOW team for a no-obligation conversation to see how they can help you develop your ROPA for LGPD.

Templates and models imported from other companies can be very helpful. But it's essential that you can clearly and objectively translate the reality of your company.

Every time we are faced with the complexity of justifying and basing the collection of data, we should always prioritize privacy throughout all processes, as taught by Privacy by Design.

According to the recommendations of the ICO listed above, AdOpt's LGPD Platform helps you map and organize:

• Cookie Banner within ICO, LGPD, GDPR, CCPA standards.
• Records of all written consents; (organized by user with date, time, and details of each consent.)
• API Integration with your other platforms to enrich the collected data with the consent information recorded.
• And more, depending on the size of your company.

We're here to help!

So, in this link, our calendar is open to discuss your business's adaptation challenges.