How to create a Record of Processing Activities (ROPA)

Companies receive information from a lot of different places, and also share it with others. This is called processing and this “processing” needs to be recorded.

This is where a Record of Processing Activities (ROPA) comes in. It's a critical document mandated by Article 30 of the GDPR and the NHS DSPT, serving as a blueprint for your data handling practices.

NHS DSPT Evidence item 1.1.2 Does your organisation have an up to date list of the ways in which it holds and shares different types of personal and sensitive information?

By documenting each data processing activity, you gain valuable insight into your data flows, ensure accountability, and demonstrate your commitment to robust data security. In this post, we'll explore the importance of a ROPA, guide you through its creation, and highlight key elements for compliance.

This is guide 2/3 in a series of three guides for digital health companies on Documenting your data processing activities. We’ll assume you've successfully created your Information Asset Register (IAR), providing a detailed inventory of your digital health company's data assets.

What is a Record of Processing Activities (ROPA)?

A Record of Processing Activities (ROPA) is a detailed map of how your organisation uses personal data. It outlines the data flow, legal basis for processing, and the security measures implemented.

Why is a ROPA important?

There are several important reasons to create and maintain a ROPA:

• Compliance: It ensures you have a lawful basis for each processing activity, demonstrating adherence to GDPR principles. For many companies, documenting your processing activities is a legal requirement under Article 30 of the GDPR, and must be made available to the supervisory authority (ICO) on request. For this reason a ROPA is sometimes referred to as an “Article 30 register”.
• Transparency: It provides a clear and comprehensive picture of your data processing activities, enabling transparency for both individuals and the GDPR supervisory authority, such as the Information Commissioner's Office (ICO).
• Risk Management: As with an IAR, it helps identify potential data protection risks, facilitating a proactive approach to mitigation.

Creating your Record of Processing Activities (ROPA):

1. Choose a template

We offer a free ROPA template on our platform, which includes clear and relevant examples for digital health companies and compliance with the NHS National Opt-Out. You can talk to us to receive a copy of this template. You can also use a template online, for example the ICO's template.

2. Identify data items - “What do I need to include in my ROPA?”

This requires careful consideration of the data involved in different processing activities. All data which is physically transferred – either electronically or in hardcopy - must be added to your ROPA, which should include all data in the IAR marked as being received from or shared with external organisations. Example data items for digital health companies might include:

• Staff data (employment records, DBS checks, etc.)
• Patient health records
• Treatment plans
• Appointment schedules
• Consent forms
• Insurance data
• Financial data

A note on exceptions for small organisations: If you have fewer than 250 employees, then you do not have to record all of the personal data which you process. You only need to record processing which

• is not occasional i.e. you don’t need to record a one-off exchange
• or; is likely to result in a risk to the rights and freedoms of individuals
• or; contains special category or criminal convictions data.

If you have 250 or more employees, you need to record all processing activities even if they only happen once or are unexpected.

3. For each data item, identify your role under GDPR (controller vs processor) - “Am I a data controller or processor?”

The requirements for documenting data processing activities for a data item differ for controllers and processors. The ICO provides detailed guidance on determining if you are a controller or a processor.

Here are some general tips to keep in mind, but if there is any doubt it's always best to seek an expert opinion:

• Remember that your organisation is not by its nature either a controller or a processor. You are very likely to be a controller for some personal data and a processor for other personal data. For example, you will have your own employees so you will be a controller regarding your employees’ personal data.
• For digital health companies who feel they are only a processor for certain special category data items (such as categories of personal health information) is that likely that you are only a processor for items for which you have signed a clear Data Processing Agreement (DPA) with the hospital which outlines exactly why and how the data the processed.
  • Otherwise, you are a controller, and are primarily responsible for the security and protection of that personal data.

4. For each data item, determine your lawful basis for processing

To process personal data, the processing must be necessary, i.e. you could not perform a required activity without using the information. Once you know it is necessary then a lawful basis for the processing must be given.

There are 6 legal bases for processing personal data under GDPR and at least one should be recorded on the ROPA. There is guidance on each basis on the ICO's guide to lawful basis. These are called Article 6 Conditions:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Some personal data is also considered to be special category. For most digital health companies, most of your special category data will be health and care data. To process special category data, you need to fulfil both one of the conditions above (Article 6) and one of the following conditions (Article 9 conditions).

(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest (with a basis in law)
(h) Health or social care (with a basis in law)
(i) Public health (with a basis in law)
(j) Archiving, research and statistics (with a basis in law)

Further details on each Article 9 basis can be found in the ICO's guide to lawful basis for special category data.

A note on consent: whilst consent is a lawful basis under the GDPR, the regulations have strict rules on consent which may be hard to achieve, and it may be better to seek an alternative lawful basis. The ICO and NHS provides specific guidance on consent for reference to help you decide if consent is the way to go, and how to ensure individuals are giving consent in a way which is very clear and specific.

5. For each data item, gather key information - “What to include in my ROPA?”

The GDPR Article 30 outlines specific minimum requirements for controllers documenting their processing activities. In practice it makes sense to record these items plus the additional information to ensure your processing under each data item is lawful and that data subject rights are respected.

With this understood, here is a practical list for what to record for each data item:

• Data Item description; business function and purpose of processing
• Article 30 Record of Processing Activities
  • Name and contact details of the processor(s) and of each controller on behalf of which the processor is acting
  • Categories of individuals, personal data and recipients
  • Links to contracts with processors
  • Names of third countries or international organisations that personal data are transferred to along with safeguards (if applicable)
  • General description of technical and organisational security measures
  • Retention schedule and link to retention and erasure policy document
• Lawful Basis
  • Article 6 lawful basis for processing personal data,
  • Legitimate interests (LI) for the processing; Link to LI assessment (if applicable)
• Special Category Data:
  • Article 9 condition for processing special category data
  • Data Protection Act 2018 Schedule 1 Condition for processing; link to retention and erase policy
• Data subjects rights & data breaches
  • Rights available to individuals; Link to record of consent; Location of personal data
  • Existence of automated decision-making / profiling; Source of the personal data.
  • Has a personal data breach occurred? ; Link to record of personal data breach
• Data Protection by design and default
  • Is a Data Protection Impact Assessment (DPIA) Required?
  • DPIA progress; Link to the DPIA

This is a risk assessment specifically focused on data protection. You only need to complete a DPIA in specific circumstances and the ICO has a checklist to help you need to complete one. This cites the general rule that you need a DPIA “where a type of processing is likely to result in a high risk to the rights and freedoms of individuals”, but again, if there’s any doubt, again it’s always best to seek outside opinion.

6. Fill out the template

Use the template to document all relevant data items. The name and contact details for your organisation and your Data Protection Officer (if applicable) or data protection representative should be included in the document

7. Review and obtain approval

Ensure the ROPA is accurate and complete. It should be reviewed and approved by relevant stakeholders such as senior management and your data protection representative.

As with all data processing activities, it is also important that you keep your records up-to-date, and continue to review your ROPA at regular intervals, when making changes, and in the event of a data breach.

How to get started

Assuric is a platform designed from the ground up for digital health companies to achieve and manage compliance. We can help with:

• Creating a Record of Processing Activities (ROPA) from a template specific to digital health companies.
• Keeping your ROPA up-to-date with any changes
• Reviewing your ROPA to ensure it meets requirements
• Complying with other aspects of GDPR, the NHS DSPT and NHS DTAC.

Talk to us to learn more, ask questions, or request a copy of the Record of Processing Activities (ROPA) Template:

What next?

You’ve done the hard work: you've identified your data assets (IAR), mapped out your processing activities (ROPA), and established a strong legal basis for everything you do. But your compliance journey isn't over yet. One of the most crucial aspects of GDPR is transparency. This brings us onto the final Step 3: Creating a privacy notice ->

Privacy notices - GDPR guide for digital health companies

Step-by-step guide to creating a Privacy Notice for GDPR and the NHS Digital Security Protection Toolkit (DSPT)