The Living RoPA: from paperwork to control panel
The goal
A Record of Processing Activities (RoPA) is required — but the best organisations use it to run the business. This guide shows how to build a pragmatic RoPA and keep it alive without drowning in admin.
The 5–7 slice method
Start with the few processes that move the most data or present the most risk. For each slice capture: purpose, lawful basis, categories, recipients, transfers, retention, security controls, and owner.
A quick field guide (what to capture)
· Purpose: be specific (e.g., ‘payroll calculation & HMRC reporting’).
· Lawful basis: contract, legal obligation, legitimate interests, consent (rare), vital interests, public task.
· Data subjects & categories: employees, applicants, customers; personal vs special category data.
· Recipients: internal roles and third parties (processors, sub‑processors).
· International transfers: location, safeguards (SCCs, IDTA), Transfer Risk Assessment status.
· Retention: rule and trigger (e.g., ‘6 years after employment ends’).
· Security: technical/organisational measures (MFA, access controls, encryption, audit).
· Owner & review cadence: who updates this record and how often.
Make it ‘living’
· Tie RoPA updates to change events: new system, new vendor, new purpose, new dataset.
· Use one template in a shared drive; lock structure, allow content editing.
· Review each slice on a fixed cadence (e.g., quarterly for high‑risk, semi‑annual for others).
· Publish a one‑page ‘RoPA summary’ to leadership so decisions match data reality.
From RoPA to action plan
· DPIA where risk flags appear (children, special category, large scale, new tech/AI).
· Vendor due diligence for processors handling personal data (add to your vendor risk register).
· Retention schedule clean‑up (systems + policy alignment).
· Targeted training for process owners.
We can help: MJC offers a ‘RoPA in 90 Minutes’ workshop with templates, facilitation, and a 4–6 week maturation plan.
