Securiti announces a $75M Series C Funding RoundView
Published on September 22, 2022 AUTHOR - Privacy Research Team
Privacy laws and regulations are enacted to bring transparency and accountability to an organization’s behavior when it comes to collecting and processing users’ personal data. Before the introduction of the GDPR article 30, accountability and transparency associated with the processing of users’ personal data were difficult. In fact, the lack of any such requirement made it nearly impossible for privacy teams to detect and mitigate data privacy and security risks.
As one of the core components of the European Union General Data Protection Regulation (GDPR), article 30, also known as Records of Processing Activities (RoPA), requires businesses to maintain comprehensive documentation of the overall processing activities concerning users’ personal data and special categories of personal data.
For quite some time, RoPA has been taken as an evidentiary mechanism to demonstrate a business’s compliance with the provisions of the GDPR. However, in recent times, RoPA has proved more capable of helping businesses gain terrific insights into their data management capabilities and practices. Hence, it is fairly beneficial for businesses to keep records of processing activities to not only show compliance but also to identify privacy risks and data insights.
According to Article 30 of the General Data Protection Regulation (GDPR), which states that “a controller must maintain a record of processing activities (RoPA) under its responsibility, including all types of processing activities”, including “all categories of processing activities”. This is known as the record of processing activities (RoPA).
Furthermore, the records must be kept in writing, including in electronic form. It is to be noted that processing isn’t limited to the collection of personal data, but its definition also covers that data that is kept stored in data assets.
The basic purpose of RoPA is to serve as an evidence or an audit trail, giving the supervisory authority in your region a clear picture of how you treat the processing of personal data and if it is in compliance with applicable privacy laws.If a business is found to be non-compliant in any manner, under the GDPR, the supervisory authority has the authority to impose hefty fines of up to €20 million, or around $20,372,000.
However, apart from external auditing, RoPA can play a critical role in self-auditing as well. Self-auditing enables businesses to answer the what, why, when, where, and hows associated with personal data processing, providing a window into overall processing activities, shortcomings, and opportunities for improvement or the opportunities to ensure better data quality.
Data is now more than an asset for organizations across the globe. Data brings insights that ultimately trigger innovation and technological development. However, for that, you need to have deeper insights into the data you collect and process. Many times, organizations end up collecting a huge volume of special categories of personal data that seemingly have no value to the business. Operating as a single source of truth, RoPA reports enable organizations to validate whether the data being collected has any value to the business or if it has served its purpose and is ready to be purged.
RoPA can enable organizations to optimize their data validation and data management practices and align those practices with regulatory requirements, such as storage retention or data minimization.
Organizations are generating a massive volume of data at an incredible pace which isn’t slowing down anytime soon. With the availability of data lakes and data warehouses, organizations don’t even have to worry about storing that data. With so much data being generated, stored, and processed throughout the year, it is common for that data to be duplicated and stored at several other assets. Ultimately, this creates data redundancy that further costs organizations unnecessary processing, storage expenses, and security risks.
By maintaining accurate and updated records of processing activities, organizations can easily identify redundancies and optimize that data efficiently.
One of the primary reasons why privacy laws have been enacted is to give users better control over the collection, processing, and selling of personal data. Therefore, privacy laws have provisions related to the subject requests, such as access requests, modification, deletion, and opt-out requests. By keeping an up-to-date record of all the processing activities concerning personal data, its location, retention period, and purpose of processing, DSR teams get seamless access to all the information they require to promptly and efficiently handle data subjects’ requests.
It is usually considered that the data protection officer (DPO) is the go-to person for creating and maintaining records of processing activities. For a small-scale company, this might be true but not for dynamic enterprises that manage the personal data of hundreds of thousands of users. Keeping RoPA reports is a time-consuming process that further requires a lot of back-and-forth with different departments. This, in turn, enables organizations to promote cross-team pollination and communication which further assist teams in understanding the concept of privacy and security risks arising from mishandling of users’ personal data.
As mentioned earlier, there are a number of benefits to keeping records of personal data processing activities, and thus, every organization must maintain such records even if they aren’t liable. But strictly speaking, the GDPR provides us clear guidance on who needs to maintain RoPA. Under Article 30(5) of the GDPR, organizations that have 250 or more employees are required to document, retain and be able to present records of processing activities reports.
As per the aforementioned Article 30(5) of the GDPR, data controllers and processors with fewer than 250 employees do not need to maintain RoPAs unless the processing of personal data is:
Article 30 of the GDPR outlines under paragraph 1 and 2 the details that need to go in the records of processing activities, concerning personal data.
Similar to a controller, data processors are also required to maintain RoPA on behalf of the controller with the following details:
Different businesses can take different approaches to create and maintain records of processing activities. However, in our experience, we found out that the following best practices can yield increased efficiency and outcomes.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
3031 Tisch Way Suite 110 Plaza West, San Jose,