Record of Processing Activities (ROPA) - A Deep Dive

Introduction

A Record of Processing Activities (ROPA) is a critical record-keeping module outlining an organization's data processing activities, including collecting, processing, and using personal data. It enables organizations to evaluate their data processing activities, identify potential risks to data privacy, and implement appropriate risk management measures. 

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). ROPA, on the other hand, is not a commonly recognized term related to GDPR. However, regulatory bodies, including Data Protection Authorities (DPAs) in EU member states, play a crucial role in ensuring GDPR compliance. They enforce GDPR, investigate breaches, and impose fines for non-compliance to safeguard individuals' data and privacy. Organizations are obligated to adhere to GDPR principles to protect the rights and privacy of data subjects.

OvalEdge offers a user-friendly solution for organizations to track, monitor, and report compliance using the Record of Processing Activities (ROPA). The OvalEdge UI-driven system allows multiple departments handling Personal Identifiable Information (PII) data to record their processing activities centrally.

The OvalEdge platform allows users to edit details of processing activities and enables team members to collaborate with stakeholders of different processing activities to collect information promptly.

The OvalEdge system generates ROPA  reports for different time periods and ensures approvals from identified stakeholders before finalizing reports. The approved reports are stored in OvalEdge for future reference. OvalEdge supports reminders through service desk notification for processing activities to ensure timely validation and updates. The solution ensures that organizations can easily maintain GDPR compliance by providing a simple, centralized platform for monitoring and reporting data processing activities.

GDPR, ROPA

The General Data Protection Regulation (GDPR) and the Record of Processing Activities, commonly referred to as ROPA, are closely associated. ROPA signifies the GDPR's requirement for businesses to maintain precise and all-encompassing records of their data processing operations. ROPA allows for the recording and monitoring of processing operations, with a specific focus on Personally Identifiable Information (PII). This ensures compliance with data protection laws and upholds privacy standards. OvalEdge ROPA comprises two features: 

• Processing Activity: Record and keep track of all the actions taken about personal data, such as gathering, storing, retrieving, using, disclosing, modifying, and deleting it.
• Reports: Create thorough reports that compile all of the processing actions that have been documented. An overview of data handling procedures, data flows, rights of data subjects, security precautions, and compliance status are included in these reports.

Prerequisites

Creating and Configuring Domain, Categories, and Subcategories: 

To ensure users handle personal information properly, it is important first to identify and sort out terms that count as Personally Identifiable Information (PII), like names, email addresses, and more. These terms are the foundation of data privacy, helping users know what kind of information is being dealt with and how it is being used. By carefully defining these terms, organizations can better define KPIs and achieve consistency. 

Adding Custom Fields for Processing Activity/Reports: 

OvalEdge various custom fields in the Processing Activities Summary Page. These custom fields cover different types like text, code, numbers, and dates. This allows users to enter custom details about processing activities, going beyond basic information.

With these custom fields in the ROPA system, organizations can improve their ability to manage data. Users can understand processing activities in detail, going deeper than just basic information. This detailed understanding helps with internal decisions and makes it easier to follow regulations properly.

Processing Activities 

Processing activities refer to operations and actions performed on data that can be directly or indirectly related to an individual. These activities involve the collection, storage, retrieval, use, disclosure, alteration, or deletion of PII within an organization.

Viewing Processing Activities

The ROPA landing page has a tab called "Processing Activity" that shows a summary of all the processing activities being done or completed before. In this view, users get a detailed table with important information like ID, activity name, description, purpose, processor, controller, source, terms, group, domain, category, subcategory, sensitive information terms, status of processing activity, risk level, and more. This organized layout not only gives a complete overview of the tasks but also helps organizations deeply understand how data is managed. It allows for effective monitoring and ensures compliance.

Adding Processing Activity

To add a processing activity, click on the + Add icon on the main page of Processing Activities, and the Add Processing Activity pop-up window will appear. 

When a user adds a Processing Activity, the process is automatically organized into important sections with detailed information on Processing activity summary page. 

• Process Owners: In the Process Owners segment/section, roles such as Group, Division, Processor, Controller, Owner, and Compliance Officer are defined, establishing a clear chain of responsibility. 
• Data Subjects: Data subjects are the ones whose privacy data is maintained
• Data Processing: The Data Processing section encompasses critical elements like source, collection points, automated decision-making criteria, lawful processing criteria, and the systems employed, ensuring a transparent workflow.
• Data Storage: Moving to the Data Storage Section/segment, considerations span manual/physical and electronic storage options, alongside retention periods and disposal methods, emphasizing both security and compliance. 
• Data Sharing: The Data Sharing section/segment outlines groups and external parties with access, coupled with methods of sharing, fostering controlled data dissemination. 
• Risk and Security: Lastly, the Risk and Security section incorporates risk classification and security controls, ensuring robust protection measures are in place.

Accessing Processing Activity

Processing Activity Summary 

On the Processing Activity main page, clicking on the Processing Activity name link displays the processing activity summary, offering a comprehensive snapshot of essential information related to the processing activity and its associated data objects. It consists of the activity description, custom fields, PII terms, data subject categories, top users' engagement, update history, and important dates like creation and modification. This summary offers a concise overview of the key details of the processing activity.

• Description: Is a concise overview, providing a high-level understanding of the processing activity purpose, scope, and key findings. It is manually created by the process owner. 
• Personal Data: PII terms associated with the processing activity. 
• Process Owners: Process owners are individual or group of individuals responsible for the creation of processing activity
• Data Subjects: Employees and customers, This approach enhances transparency, in understanding the diverse individuals impacted by processing activities, fostering responsible data stewardship, and ensuring compliance with privacy regulations. 
• Data Storage: The Processing Activity Summary Page provides detailed information about how data is stored. It indicates whether it is done by hand, physically, or electronically and mentions security measures like masking. The page also emphasizes responsible data management, describing how data is deleted (using methods like Electronic Erasure) and kept for a specific period, for example, 80 days(The timeframe can be adjusted). This ensures that organizations follow strict rules for data security and meet regulatory standards.
• Data Processing: The Data processing section collects and stores information about the Source from where the processing activity data is collected. Collection points are nothing but the way the data is collected it can be Forms, Website and Office forms. Automated decision-making describes if the decision on the processing activity is given automatically or if it's a manual implementation. Lawful Criteria describes which criteria are used to meet the compliance requirements while creating a processing activity. The system used for processing can be automatic or manual based on organization. 
• Data Sharing: On the Processing Activity Summary Page, there is a section about Data Sharing that explains the sharing of private data among the users. It differentiates between people within the organization and those outside it. It also mentions how the data is shared, like through Application Programming Interfaces, and whether it is transferred to other countries. This gives a clear picture of who can access the data and how it's shared internationally. The information is entered manually by the user. 
• Risk & Security: This classification provides a concise yet crucial insight into the level of risk associated with the processing activity, guiding organizations in implementing tailored security measures and compliance strategies to mitigate potential vulnerabilities effectively. The levels of risk are High, Low, and Medium. 
• Status: When the processing activity gets created, it gets created in draft status. The user needs to Request to Publish the activity. After approval from stakeholders, the activity gets published. 
• History: Users can view the history of the status changes that were performed on the respective Processing Activity.
• Top Users: The Processing Activity Summary Page shows who the main users are in these activities. This gives a clear view of how engaged people are, making them responsible for how data is managed. It helps organizations follow the rules and builds trust in how they handle data.

A snapshot of a Processing Activity Summary is provided below for your reference.

Associating Data to Processing Activity 

The Associated Data section within OvalEdge presents various data objects, including Databases, Tables, Table Columns, Files, File Columns, Reports, Report Columns, and Codes. These objects are associated with the configured PII Terms in the Processing Activity. When the same PII Term is linked to data objects such as schema, tables, table columns, etc., those objects are displayed in respective tabs categorized by the Term name.

Users can easily navigate to the corresponding data object, view its summary, and access the business glossary term summary by clicking on the term name. Each Object Type tab provides a count of data objects associated with the current term, including Databases, Tables, Table Columns, Files, File Columns, Reports, and Codes.

The list view offers detailed information about data objects based on the selected object type.

Example:

Suppose there is a PII Term called "Email Address" configured in the Processing Activity. If the "Email Address" term is associated with a table column named "User_Email" in the "User" table and a report column named "Contact_Email" in a report, these objects will be displayed in their respective tabs under the "Email Address" term.

In this scenario, users can navigate to the "User_Email" table column or the "Contact_Email" report column, view their summaries, and access the business glossary term summary by clicking on the "Email Address" term. The "Table Columns" tab will show the count of table columns associated with the "Email Address" term, including the "User_Email" column. Similarly, the "Report Columns" tab will display the count of report columns associated with the term.

Additional Operation on Activity

The additional operations that can be performed on the Processing Activity include the following:

• Adding/Removing Processing Activity from the Watchlist: Processing Activities have an additional operation which is the flexibility of Adding or Removing from the Watchlist, providing users with enhanced control and monitoring capabilities.
• Downloading a Processing Activity: Users can download a Processing Activity by using the download icon at the bottom right of the Processing Activities page in the list view. They can download and share the processing activity with compliance officers as proof. 
• Editing a Processing Activity: Modification of an existing Processing Activity can be performed either from the Processing Activity details page or the individual Processing Activity Summary page using the 9-Dots menu, streamlining data management and ensuring accuracy with user-friendly navigation options.
• Updating Governance Roles: Using the Update Governance Roles feature, Authorised users can add or update governance roles, such as Owner, Steward, Custodian, and other custom roles (if configured). These roles can be assigned to members by selecting them from a drop-down list. As a result, the Processing Activities have designated individuals who are responsible for governing them and can serve as the points of contact in case of questions.
• Configure Search Keywords: Configure Search Keywords are specifically added to Processing Activities to enhance their discoverability and accessibility for users. These keywords streamline the process of locating relevant data within the application. 
• Collaboration Message: The Collaboration feature within OvalEdge allows users to communicate and collaborate easily with one another. Users can tag specific individuals or teams in the message using the ‘@’ annotation to ensure the right people are notified. This feature supports various types of media, including images, URLs, links, and more, providing additional context and information.

ROPA Reports 

OvalEdge's ROPA  Reports offer a comprehensive record of an organization's data processing activities, encompassing activity details, data flows, legal basis, data security measures, data retention, risk assessments, and compliance status. These reports provide a consolidated overview of the organization's processing activities.

Viewing ROPA Reports

The Report List View is an important tool shown in ROPA. It includes important details like Report ID, Report Name, Description, the processing activities it is linked to, and key people involved, such as Stewards, Custodians, and Owners. It also mentions specific responsibilities (Governance Roles) and dates indicating when the report was created and modified.

There are status indicators to show how far along the report is, and timestamps tell when it was made and changed, along with the users who did it. This approach helps track reports effectively, making sure everyone is responsible and the process is transparent in organizations.

Adding ROPA Reports

To add a report, click on the + Add icon on the main page of Reports, and the Add ROPA Report pop-up window will appear. 

Creating reports involves paying close attention to important information. This includes things like the report name, the period it covers (“From Date” to “To Date”), and a clear description. Assigning specific roles like Steward, Owner, and Custodian adds accountability, clearly defining who is responsible for what in the reporting process. This structured approach ensures that reports are clear, detailed, and well-managed, providing a complete understanding of the information they contain.

Accessing ROPA Reports

On the Reports main page, clicking on the Report Name link displays the report summary, offering a comprehensive snapshot of essential information regarding processing activities and associated data objects. It includes the activity description, custom fields, top users' engagement, and update history. This summary provides a concise overview of the report's key details.

• Description: is a concise overview, providing a high-level understanding of the report's purpose, scope, and key findings.
• Dates: Dates are pivotal markers within ROPA Reports, specifying the time frame during which data processing activities occurred. From the start date to the end date, this information provides context, enabling stakeholders to analyze data trends, track compliance, and assess the timeliness of processing activities within the designated period.
• Governance Roles: encompassing Steward, Owner, and Custodian, define the individuals responsible for overseeing and managing the ROPA Reports. 
• Top Users: individuals or teams extensively involved in the processing activities under the ROPA Reports. By identifying these key users, organizations gain insights into data utilization patterns, enabling targeted training, access reviews, and resource allocation, ultimately enhancing data security and efficiency.
• Status: the current state of the ROPA Report, providing clarity on its progress. Ensures transparency, allowing stakeholders to stay updated on the report's lifecycle and take appropriate actions accordingly.
• History: a historical perspective, detailing significant events, modifications, and approvals related to the ROPA Report. This chronological record not only maintains an audit trail but also enables stakeholders to understand the evolution of the report, ensuring accountability, compliance, and effective decision-making.
• Processing Activities under ROPA Reports: a detailed list of all processing activities included within the ROPA Report. Each activity is outlined, encompassing essential details like activity name, description, involved parties, and associated dates. This granular information empowers stakeholders to delve deep into specific processing activities, facilitating in-depth analysis, compliance assessments, and targeted interventions where necessary.

A snapshot of a ROPA Report Summary is provided below for your reference.

Additional Operation on ROPA Reports

The additional operations that can be performed on the ROPA Reports include the following:

• Editing ROPA Reports: The ability to edit ROPA Reports allows organizations to refine, update, or rectify information, ensuring accuracy and relevance. This operation ensures that reports remain dynamic and reflective of the evolving data landscape, enabling stakeholders to maintain up-to-date records and compliance documentation.
• Draft/Published Status: Once the report is generated the report gets generated in draft state. Authorized users can request to publish the report. The approver adds comments and approves the report. The status of ROPA Reports gets changed from draft to published.  
• Delete ROPA  Report: Deleting outdated or irrelevant ROPA Reports streamlines data repositories, maintaining clarity and relevance. This operation aids in adhering to data retention policies and ensures that obsolete information does not clutter the system, optimizing data governance practices.
• Update Governance Roles: The ability to update governance roles through 9 dots within ROPA Reports ensures alignment with organizational changes.
• Download ROPA Report: Stakeholders can retain offline records, share reports securely, and facilitate audits, ensuring seamless collaboration and compliance verification. Report gets downloaded in xlsx format. 

       

• Configure Search Keywords: Configuring search keywords refines data discovery, enhancing the efficiency of ROPA Report retrieval.
• Associate Data to Report: This operation ensures that relevant data is accurately cataloged, promoting a cohesive approach to data governance and facilitating comprehensive analysis and reporting.
• Adding to Watchlist: Users have the ability as ROPA users to receive notifications regarding actions performed on specific ROPA Processing Activities and Reports. To enable this feature, users need to add the desired Processing Activity or Report to their watchlists. Once added, these activities and reports will be displayed on the users' Watchlist, ensuring convenient access and timely notifications.

ROPA Security 

OvalEdge ROPA offers a Role-Based Access Control (RBAC) system through the Administration menu. The Administration Security enables users to precisely adjust access levels and personalize governance roles for Processing Activities (PAs) and Reports. Moreover, License-Based Access Management ensures the efficient use of resources by controlling data visibility based on license types.

Role-Based Access Control

OvalEdge ROPA offers a comprehensive Role-Based Access Control system, allowing users to navigate to the Administration menu and select "Security" and "Applications." By enabling or disabling role-based access via toggle buttons, users gain granular control. Manual assignment and removal of roles further refine access, ensuring that specific sections within ROPA are restricted or accessible based on user roles and maintaining data confidentiality and integrity.

Customization of Governance Roles

Within the Administration section, users can tailor governance roles for both Processing Activities and Reports. By accessing the "Security" menu and selecting the "Governance Roles" tab, users can align roles with compliance requirements. This customization ensures that designated individuals possess the necessary permissions, promoting precise oversight and accountability in line with organizational governance strategies.

License-Based Access Management

OvalEdge ROPA introduces license-based access control, enabling organizations to regulate data visibility in OvalEdge based on license types. Users can configure settings by navigating to the Administration menu, selecting "Security," and accessing the "Application Security" tab. Here, the toggle button empowers users to enable or disable ROPA access for Viewers. This feature guarantees that users can view processing activities and reports tailored to their roles, promoting efficient use of resources and ensuring compliance with licensing agreements.

Service Desk 

ROPA simplifies template configuration and approval workflow association for streamlined service request management. Admin Users / Connectors SAG’s can select, configure, and publish templates, choosing between active and inactive states. OvalEdge allows flexibility in configuring Approval Workflows and defining Service Level Agreements (SLA). Furthermore, admin users can track the status of raised requests seamlessly in the Service Desk module, ensuring a user-friendly and efficient process.

Configuring Pre-Defined Templates

In Administration under Service Desk Templates, admin users can select predefined ROPA templates, view details, and configure settings or fields associated with the chosen template.

Configuring Approval Workflow

To associate an Approval Workflow with a ROPA  template, users have the flexibility to configure an existing workflow or create a new workflow based on their specific requirements. Additionally, users can define the Service Level Agreement (SLA) and choose between automatic or manual fulfillment modes.

Existing Approval Workflow

Admin Users can utilize the predefined workflow with configured one more many approvers to raise service requests efficiently.

Active/Inactive Templates

• Active Templates: are templates that are currently enabled and available for use. Users can select active templates when raising service requests.
• Inactive Templates: are templates that are currently disabled and not available for use. Users cannot select inactive templates when creating service requests.  

Publishing a Template

By default, a newly created template will be in draft status. To make the template available for use, users can click on the nine dots icon associated with the template and select the "Publish" option. Once published, the template becomes visible and accessible to users in the service request creation process. Users can select and utilize published templates when raising service requests. On the other hand, unpublished templates are not visible or selectable during the creation of service requests. 

Note: While users can set templates as inactive, they cannot delete or revert the system defined templates to draft status.

Status Progression for Raised ROPA  Requests

The raised GDPR ROPA  requests can be viewed in the Service Desk module from the left menu panel. Under the ‘My Requests’ tab, users who are assigned to the approval workflow will be able to see the raised requests.  Selecting a specific request will direct you to its Summary page, where comprehensive details of the request raised are displayed, including the request status.

• New: indicates that the request is in its initial stage and has not undergone processing or evaluation yet. The request is new and awaits further action.
  • New (if rejected): If the request is rejected by the approvers, it reverts back to the "New" status. This indicates that the request needs to be reviewed or modified before resubmission.
• Request to Publish: This status empowers users with a viewer license to initiate the process of making a ROPA Report or process activity available, thereby triggering the subsequent approval from the configured approvers. 
• Pending Approval: indicates that the request is currently being evaluated and reviewed by the assigned approvers.
• Fulfillment Successful (Published): Once the request receives approval from the configured approvers, a fulfillment job is run in the background, and once the request is fulfilled, the status is changed to ‘Fulfillment successful’ i.e., "Published" status. Users check the ‘Mark the status as closed’ checkbox to move the ticket status to ‘Closed’.

       

         

Note: Comments should be added in the ticket by the approver whenever a service request is approved or rejected to provide additional context and information regarding the decision. 

The status of a service request progresses from "New" to "Under Process" during the approval process. Upon approval, it transitions to the "Published" status. If rejected, the request returns to the "New" status, prompting the need for further review or adjustments.

Note: Only Processors or Controllers configured in the workflow have the authority to approve or reject a request based on the established workflow configuration. It is crucial to understand that “Viewers Users” who are not designated as the processor or controller for a processing activity or reports will have the "Approve" and "Reject" buttons grayed out. Consequently, they do not possess the capability to approve or reject a request.

Below is the table presenting ticket statuses and corresponding actions based on different user licenses in OvalEdge:

Ticket Status	Authors	Viewers
New	Yes	No
Request to Publish	Yes	No
Pending Approval	Yes	No
Resolved (If Approved)
Fulfillment Successful (Published)	Yes	No
Mark this ticket as closed - Closed	Yes	No
Reopen (If Rejected)
Reopened	Yes	No