ROPA in LGPD? Get to Know the Records of Processing Activities
The LGPD - General Data Protection Law brought with it several acronyms and specific terms. Many of them imported from other countries and legislations. One of them is ROPA (Record Of Processing Activities), adapted in Brazil to Registros das Atividades de Tratamento. An essential document for any DPO, Data Processor.
If you work in the field or are in the process of adapting your company, this article was made to help you better understand this document.
ROPA (Record Of Processing Activities), is nothing more than a document that organizes the company's official records about:
In other words, the essential questions and answers in case of consultation by the ANPD - National Data Protection Authority, to your company. Below, we'll discuss each of these points in more detail.
So, regardless of the size of your company, documents should always reflect reality and be constantly updated.
Smaller companies may not feel the need or complexity of keeping these "Mapping of flows" updated, after all, everything is smaller and involves fewer people. Now, for a larger company, there are already software solutions that help with this control in a more automated way, such as LGPDNOW, for example.
ROPA (Record Of Processing Activities), translated by the Brazilian market to Records of Processing Activities, is an official document of companies, generated by a system or not, that records all flows, processing, and activities involving personal data.
In it, mainly list all the purposes and reasons why the company needs that data(s) for its operation, legal basis (Legal Basis), security criteria, data storage/retention period.
The easy answer is: it depends.
Data Mapping or Data Inventory functions as a visual map of the flow of personal data within the Data Controller, bringing much more than ROPA, such as system and international transfer maps, ISO compliance parameters, NIST, among others.
On the other hand, ROPA focuses on activities involving data processing. In a more structured company, it may happen that a Data Mapping contains some ROPAs as part of it.
In any case, recording activities is an essential part of both documents. The perspective and methodology applied in each can be their differential.
### Questions the ROPA Should Answer:
Also, according to the ICO (Information Commissioner’s Office), ROPA also includes or links to documentation covering:
Questioning for the creation of your ROPA:
A good example for those starting out or with a smaller company is to use spreadsheets for this control and organization.
For larger companies that need to structure these processes better, a privacy management and data mapping platform can be very helpful!
That's why we recommend that you schedule a meeting with the LGPDNOW team for a no-obligation conversation to see how they can help you develop your ROPA for LGPD.
Templates and models imported from other companies can be very helpful. But it's essential that you can clearly and objectively translate the reality of your company.
Every time we are faced with the complexity of justifying and basing the collection of data, we should always prioritize privacy throughout all processes, as taught by Privacy by Design.
According to the recommendations of the ICO listed above, AdOpt's LGPD Platform helps you map and organize:
We're here to help!
So, in this link, our calendar is open to discuss your business's adaptation challenges.
Want to understand why there are cookie banners on every website you visit today? This article is for you!
It's time to talk about one of the most impactful tasks, both for the company and for the visitors of your websites: tag categorization. But why is it so impactful? What is the relevance of this configuration and how can it affect us? It is precisely because of these common questions we receive from our clients that we have written this article on best practices in tag categorization.
Despite cookies being more well-known, what is the main difference between cookies and session storage and local storage? Why choose one over the other? This article will help you with these doubts!
How does your website handle LGPD? What strategies does it use to comply with the General Data Protection Law? Have you thought about using a cookie notice but don't know if your site has cookies or if it's enough? If you can't answer these questions, be cautious! Your page may be exposed to fines and other sanctions.
Have you ever noticed that every time you sign up for a service to access information or register on a website for purchases, you need to give consent? If you're wondering why you have to give consent on every website you visit, you'll find the answer here.
Surely you've already seen the predictions of fines and sanctions, processes. But, what does it mean to your company?
In the end, our goal has never been to predict doom for companies or to be part of the LGPD's Apocalypse Cavalry. But, since we've been in the market for some time, these kinds of issues always catch our attention when we start data mapping and having conversations with colleagues.
Now that we have the data flow within your company, we need to highlight 2 aspects of LGPD that will help you determine the extent of your responsibility in relation to the many points listed in the company. I'm talking about the difference between Data Controller and Data Processor.
LGPD, GDPR, and CCPA are data privacy regulations. In this article, we discuss their similarities and differences for practical application.
With the data mapping we have a clear understanding of the 5 stages that every data goes through in a company.
While it's not exactly breaking news, discussions about privacy policies have been popping up more frequently since the start of GDPR in Europe. And despite it seeming coincidental, it's not!
Drawing an analogy from the world of soccer, we can think of the DPO as the "midfielder" of the team, responsible for connecting the defense and the attack.
© AdOpt since 2020 • Made by people who love🍪