This Friday’s Lunch with the DPO session will be looking at things we should be doing during the summer. It’s interesting how the rhythm of the calendar and seasons shape our motivations and focus in a work context. New Years’ resolutions, spring cleans, post-summer impetus etc.
There was talk last month on LinkedIn about life five years on since the GDPR was enacted. Five years is a long time with regard to developing work practices, but a blink of the eye in terms of a wider context of the evolution of business culture. Five years on, we should be in an environment of demonstrable compliance across all aspects of the GDPR and the PECR. 2016 to 2018 should have been planning, implementation and testing: 2019 and 2020 about fine-tuning and adjusting, leaving privacy professionals 2021 to sit back with a fat cigar and blow smoke rings into the sky whilst sipping pina colada on the beach! Notwithstanding Covid disruption, there are few if any privacy professionals who have managed to get their “business as usual” operations anywhere near being demonstrably fully compliant. All sorts of things get in the way such as budgetary pressures, business priorities, mergers and acquisitions, and even changes in the interpretation of the law.
Many of the Outsourced DPO’s clients are taking time to critically review their RoPAs and in fact we are going through this exact exercise at DPP Towers. RoPAs are probably the most critical point of reference for data protection practitioners comprising a list of processing activities, retention rules, processors and international transfers. Good RoPAs also contain a register of lawful grounds for processing. But what do we mean by “going through” the RoPAs?
A RoPA audit sets out to check that the RoPA accurately reflects the actual processing activities and that the information contained in the RoPA is complete, accurate and up-to-date. So you need a two pronged attack. On the first hand you need to select several entries on the RoPA and then go out into the business to find the processing activities those records represent. Then you need to check that what you find in the field as it were, is the information recorded. On the other hand, you need to get out into the business and select some of the business operations processing personal data. You need to immerse yourself into these activities and check that what you find is recorded on the RoPA. It’s always fun to pick a process and follow the data through the organisation to see where it flows, how it’s handled and controlled.
If you find anomalies, it may mean that your BAU processes are not working efficiently or effectively – or it may mean that the concept of a RoPA is too rigid and more difficult to create and maintain than it seemed back when the GDPR was being drafted! But that’s something for another day.
I’ll be interested to see what my colleagues propose as their summer lovin’ tasks on Friday’s session but for me, I’d crack on with a RoPA audit.
If you haven’t joined one of our Friday lunchtime webex’s please get in touch with us via [email protected]. They are free, informative, and a chance to discuss data protection matters with a bunch of like-minded folks.