Does it matter what you call it? Oh heck, yes. I mean, was Boba Fett in Star Trek?
Article 30 of the UK and EU GDPRs is literally called ‘Records of processing activities‘. It sets out the same list of information that must be kept in a record, and maintained, by controllers. And a similar but different list of information that must be kept in a record, and maintained, by processors.
Almost all organisations will be both a controller and a processor, so they’ll need to create and maintain both. And these records have to be made available to the supervisory authority under GDPR, such as the UK ICO, on request.
Right, so if GDPR calls this a record of processing, that’s what it is, that’s what a RoPA is, right? Nearly….
We like to refer to the defined set of records to be kept under Article 30 as Article 30 Records (I know, right!) because the term record of processing activities or RoPA is often used in practice to describe the much broader inventory of personal data that you need to create when you start your GDPR project.
This inventory includes way more information than the Article 30 Records, although it’s still focussed on Privacy compliance. You need this broader inventory to capture all the information you need to spot gaps and remediation steps so you can meet your Privacy obligations.
If you like, your RoPA is a big old iceberg and your Article 30 Records are the tip of the iceberg, the summary you have to make available to regulators and you can only really create once you’ve done that broader inventory. The rest of your inventory you don’t need to make available under GDPR – at least not straight off the bat and not without legal advice – it’s all the good stuff that lets you take real-life remediation steps.
At Keepabl, we call this broader inventory your Data Map. When you use our SaaS Solution, as you easily enter your processing activities into the solution, you’re creating this Data Map and we’re instantly and automatically creating:
all without you needing to do it! So you can get your Article 30s with one click, or give tailored access to them in your Keepabl account. You can quickly and visually demonstrate your compliance. And our unique Activity Analysis, instantly interrogating your Data Map, gives you actionable insights you need to get the job done on GDPR compliance.
But before you do, let’s deal with some other terms you also hear that can get mixed up.
We specialise in Privacy and Security, so we typically hear asset register used in the IT or Security arena for a register of ‘things’ such as servers, laptops, desktops, mobiles, filing cabinets, indeed anything that could contain information. So it will include SaaS services like O365, Salesforce and HubSpot.
We typically hear about asset registers in the private sector, where they’re used to manage an organisation’s assets and identify where information is so that it can be secured. (Technically, an asset doesn’t even need to hold information, it could be a stapler. It all depends on your viewpoint but we’re talking Privacy and Security here.)
And Security is concerned with where information of any type is, so it can be secured. If it’s personal data or confidential information, you’ll secure it more. But you won’t really care what it’s used for. And the risk you’re looking at is enterprise risk, not risk to individuals as GDPR requires. You can see more on this in Privacy Kitchen’s popular video ISO27001 is not GDPR.
You’ll remember that the UK ICO referred to information asset registers, in their December 2020 report on NHS Trusts. We typically hear this term from the UK public sector. Think of them as asset registers on steroids, as they can include people, contracts, departments, processes – pretty well anything at all. Within the information asset register will be the private sector asset register, and some (but not all, as the UK ICO noted) parts of the Article 30 Records.
You’ll also hear the phrase data mapping which we believe has become more of a Privacy term and, as above, we use Data Map in our Privacy SaaS, although data map is often used for something as broad as an information asset register.
If you’re still reading, you really are knee-deep in this stuff, which we love! We’re Privacy & Security geeks. Whatever you call your registers, you can’t get away from the set fields required by Article 30 of GDPR. Make your life easier and see how we create these for you. So the next time someone walks past with a last-minute request on the way into a Board meeting, you’re good to go!
Watch the video on Privacy Kitchen! We’re very grateful to Copenhagen Business School for the opportunity to share this excellent interview by their Associate Professor, Pedro Telles, for CBS’s students. …