Dear Richard, I am a law undergradute student from Thailand and I would like to express my sincere gratitude for your videos as they have immensely deepen my understanding about Personal Data Protection Law. I am now participating in a university competition which I have to collaborate with engineering and business students to comeup with a software or technology that would solve or better a legal issue. I would like to ask if you have any recommendation regarding any issue or area in Data Protection that a software or technology could solve or could improve the status quo? My team would be extremely grateful for you answers and insight. Yours respectfully. :)
I'm sorry for the incredibly delayed reply! There are a few areas that can benefit from automation under the GDPR, the main one being the management of third party suppliers and supplier assurance. This is a time consuming process that requires a lot of administrative support so any efforts to reduce that burden is often welcomed. There are a couple of tools that would aid your research in this area, mainly OneTrust and also The Compliance Space www.thecompliancespace.com/. If you can make a user friendly supplier assurance tool, you'd be in a great place! Good luck with your studies
Takeaways 📝 A Record of Processing Activities (RoPA) is a requirement under Article 30 of the GDPR, documenting how organizations process personal data. 🔎 RoPA can help organizations understand what personal data they process, who they share it with, the purposes, and the security measures in place. 📝 Many organizations find RoPA confusing and are unsure where to start, but it's essential for regulatory compliance and organizational insight. 🚀 Starting a RoPA involves not being afraid of the process, understanding it's a timely task that requires effort and buy-in from the organization. 🛠 There are tools and privacy management software available to help create a RoPA, but simple templates can also be effective, especially those provided by the ICO. 📚 RoPA should document all processing activities, including HR, marketing, and third-party processing, where personal data is handled. 📋 A questionnaire can be a useful tool to gather information from different departments about the data they hold, its usage, protection, and retention period. 🔑 Keeping the RoPA simple and avoiding over-complication is key to making it accessible and easy to manage. 🔄 RoPA is a living document that needs regular updates to reflect changes in data processing activities and third-party relationships. 📅 It's recommended to have a defined review period for the RoPA, such as quarterly, semi-annually, or annually, to ensure accuracy and relevance. ✉ If you have questions or need assistance with creating a RoPA, reaching out to experts or checking resources like the ICO's website can provide guidance and support.
You're very kind, thank you! You can use anything you like, excel is usually the easiest to manage but sharepoint is a great option to allow more people to access and manage the content.
A further and very informative video - thank you Richard. Just one question, I understand the ROPA, as you say, is an 'organic living document', but how long must an organisation retain their ROPA, i.e. would it be until such a time that the organisation ceases to exist?
The ROPA should always be updated with new processing activities, third parties, controls etc. so it will always exist for as long as the processing activities are carried out. Arguably, yes, it will be around for as long as the organisation itself.
Very informative. May I ask which online tools you would suggest using to an EU lawyer who has GDPR certification but never used an online tool for a small company? I am interested in having a tool that is straightforward even for a non lawyer, easy to use (you do not lose half of your life registering activities) and where you can register all the information needed for complying with records of processing activity .
Thanks for watching. There are a couple of tools that are either free or inexpensive and very useful. I would check out www.thecompliancespace.com and Keepable keepabl.com both are very good tools for small businesses!
Hey, very often yes. They can be one and the same as the process of completing both is very similar. A ROPA has very clear requirements whereas a data map is not defined and will often be more of technical diagram. In my experience, people are talking about the same thing though
RoPA is your Record of Processing Activity, this is where you document what data you process in the business, who it belongs to and why you have it. Think of it like an information register. A DPIA is risk assessment essentially. DPIA's are carried out on processing activities such as background checks for employees. We want to see what the checks are, why they need to be done, how the individual will be effected and what can be done to protect and inform them.
It’s not actually part of the DPO’s ‘tasks’ under article 39 although it is within our responsibility to review and oversee such documents. In reality, it’s usually the DPO that leads if not creates the RoPA but it needs input from all areas of the business to be effective
Information asset register and RoPA are different documents with different purposes but they can easily be combined by adding the information assets into your RoPA. Personally I’d use a separate tab as there’ll be assets that aren’t used for processing but many of them will overlap
![[TH] 2024 PMSL SEA W2D2 | Fall | เครื่องร้อน พร้อมลุย](http://i.ytimg.com/vi/JO2_bLow_1Y/mqdefault.jpg)
thank you brother, the information is very detailed about ROPA. thank you for helping me to understand what ROPA is.
Thank you very much information about RoPA processes.
Thanks for watching
great video really helpful
Dear Richard, I am a law undergradute student from Thailand and I would like to express my sincere gratitude for your videos as they have immensely deepen my understanding about Personal Data Protection Law. I am now participating in a university competition which I have to collaborate with engineering and business students to comeup with a software or technology that would solve or better a legal issue. I would like to ask if you have any recommendation regarding any issue or area in Data Protection that a software or technology could solve or could improve the status quo? My team would be extremely grateful for you answers and insight. Yours respectfully. :)
I'm sorry for the incredibly delayed reply! There are a few areas that can benefit from automation under the GDPR, the main one being the management of third party suppliers and supplier assurance. This is a time consuming process that requires a lot of administrative support so any efforts to reduce that burden is often welcomed. There are a couple of tools that would aid your research in this area, mainly OneTrust and also The Compliance Space www.thecompliancespace.com/. If you can make a user friendly supplier assurance tool, you'd be in a great place! Good luck with your studies
Thank you. Very clearly explained.
Thank you for watching
Takeaways
📝 A Record of Processing Activities (RoPA) is a requirement under Article 30 of the GDPR, documenting how organizations process personal data.
🔎 RoPA can help organizations understand what personal data they process, who they share it with, the purposes, and the security measures in place.
📝 Many organizations find RoPA confusing and are unsure where to start, but it's essential for regulatory compliance and organizational insight.
🚀 Starting a RoPA involves not being afraid of the process, understanding it's a timely task that requires effort and buy-in from the organization.
🛠 There are tools and privacy management software available to help create a RoPA, but simple templates can also be effective, especially those provided by the ICO.
📚 RoPA should document all processing activities, including HR, marketing, and third-party processing, where personal data is handled.
📋 A questionnaire can be a useful tool to gather information from different departments about the data they hold, its usage, protection, and retention period.
🔑 Keeping the RoPA simple and avoiding over-complication is key to making it accessible and easy to manage.
🔄 RoPA is a living document that needs regular updates to reflect changes in data processing activities and third-party relationships.
📅 It's recommended to have a defined review period for the RoPA, such as quarterly, semi-annually, or annually, to ensure accuracy and relevance.
✉ If you have questions or need assistance with creating a RoPA, reaching out to experts or checking resources like the ICO's website can provide guidance and support.
Fantastic channel and great content!
Thank you!
Very insightful video. I’m happy we have people like you in the industry to guide us. Please can I use share point to create a ROPA?
You're very kind, thank you! You can use anything you like, excel is usually the easiest to manage but sharepoint is a great option to allow more people to access and manage the content.
Really useful keep updating regarding ropa
A further and very informative video - thank you Richard. Just one question, I understand the ROPA, as you say, is an 'organic living document', but how long must an organisation retain their ROPA, i.e. would it be until such a time that the organisation ceases to exist?
The ROPA should always be updated with new processing activities, third parties, controls etc. so it will always exist for as long as the processing activities are carried out. Arguably, yes, it will be around for as long as the organisation itself.
@@iSTORMDiaries Thank you Richard. Most appreciated.
Thank you so much brother. Very useful
Really helpful
Thanks for watching!
Very informative. May I ask which online tools you would suggest using to an EU lawyer who has GDPR certification but never used an online tool for a small company? I am interested in having a tool that is straightforward even for a non lawyer, easy to use (you do not lose half of your life registering activities) and where you can register all the information needed for complying with records of processing activity .
Thanks for watching. There are a couple of tools that are either free or inexpensive and very useful. I would check out www.thecompliancespace.com and Keepable keepabl.com both are very good tools for small businesses!
@@iSTORMDiaries thanks a lot!
Thank you
Hi Richard, great video. Is ROPA and Data Mapping used interchangeably?
Hey, very often yes. They can be one and the same as the process of completing both is very similar. A ROPA has very clear requirements whereas a data map is not defined and will often be more of technical diagram. In my experience, people are talking about the same thing though
What's the difference between Ropa and DPIA
RoPA is your Record of Processing Activity, this is where you document what data you process in the business, who it belongs to and why you have it. Think of it like an information register.
A DPIA is risk assessment essentially. DPIA's are carried out on processing activities such as background checks for employees. We want to see what the checks are, why they need to be done, how the individual will be effected and what can be done to protect and inform them.
Is this part of the DPO responsibly?
It’s not actually part of the DPO’s ‘tasks’ under article 39 although it is within our responsibility to review and oversee such documents. In reality, it’s usually the DPO that leads if not creates the RoPA but it needs input from all areas of the business to be effective
@@iSTORMDiaries thank you very much
Do I need separate IAR and ROPA?
Information asset register and RoPA are different documents with different purposes but they can easily be combined by adding the information assets into your RoPA. Personally I’d use a separate tab as there’ll be assets that aren’t used for processing but many of them will overlap
You lost me at David Goggins :)