ROPA: Quickstart Guide
A robust data privacy program requires up-to-date records of all processing activities within your organization. These records are crucial as they detail the collection, storage, usage, retention, and dissemination of data across your systems, vendors, products, and partners.
Transcend streamlines this process, allowing you to generate Records of Processing Activities (ROPA) reports based on your Data Inventory. This guide outlines each step required from filling out your data inventory, to generating your report.
Your Data Inventory in Transcend is structured into the following tables for clarity and ease of management:
- Data Silos
- Datapoints
- Vendors
- Data Categories
- Purposes of Processing
- Business Entities
To generate a comprehensive ROPA, we will need to populate some of these tables with information.
While the requirements for a GDPR ROPA are fairly well documented in Article 30 of GDPR, companies may have varying requirements or preferences in terms of what should be included in a ROPA report. Before getting started, it’s important to have a clear list of your desired fields and values that should be included in a ROPA report.
Below you can find some commonly requested fields:
- Name and Contact details of the data controller / data protection officer.
- Purposes of Processing - a description of the purposes for which personal data is being processed.
- Categories of Data Subjects - the categories of individuals whose data is being processed.
- Categories of Personal Data - the types of personal data being addressed (eg. names, addresses, email addresses, financial information, etc.)
- Categories of recipients - if applicable, information about who the data is being disclosed to, including recipients in third countries or international organizations.
- Transfers to Third Countries - if data is transferred to a third country or international organization, identify that country or organization and document the basis of the transfer (adequacy decision, standard contractual clauses, etc.)
- Retention Schedules - details of the time limits for erasure of the different categories of data, or if not possible, the criteria used to determine this period.
- Technical and Organizational Security Measures - description of the security measures implemented to protect personal data.
- Legal basis for Processing - the basis for processing personal information (eg. consent, contractual obligation, legal obligation, etc.)
- DPIA - If a data protection impact assessment is required, it should be tracked against the systems that require it.
- Controllership status - whether the third party is a joint controller, processor, or sub-processor.
Please note that the above are examples of data mentioned in Article 30 of GDPR, and included in many different types of data reports. We encourage customers to further customize their tables and reports according to their specific needs.
To complete your Data Inventory, we recommend following these prioritized steps where possible:
- Run Silo Discovery on your supported systems:
- Silo Discovery uncovers all the systems connected to your identity management providers, such as Okta, to start filling out your Data Silos table with the appropriate systems. If you can't run silo discovery, you can provide a list of your systems so we can import it for you.
- Run Structured Discovery on your supported systems:
- Structured Discovery retrieves the data points, data categories, and other information relevant to the systems within your company, and adds them to your Data Inventory.
- Send assessments to find missing systems or gather more information:
- If after adding systems manually you are still missing some information from other teams, you can send out assessments to retrieve information.
- Add additional systems that were missed in the discovery tools:
- There are internal and external systems that cannot be captured by our automated discovery tools. Within the Data Inventory, you are able to add additional systems that are missing from the list.
-
Now that you have a specific list of requirements for your ROPA, and a list of tools to fill out the inventory, the next step will be to start filling out the tables of the inventory. We recommend starting from your Data Categories and Purposes of Processing tables, as they represent essential aspects of a good ROPA report.
-
Review and add all your required Data Categories to the corresponding table of the inventory.
- Review and add all your Purposes of Processing to the corresponding table of the inventory.
- Run Silo Discovery on your Identity Management software to discover data silos in your organization and add them to your Data Inventory. Add the newly discovered silos.
-
Assign owners, and review or add data categories to the discovered data silos.
-
There may be additional fields you want present in your ROPA, we encourage customers to add Custom Fields specific to their needs.
- Navigate to the “Data Silos” table and add your systems manually if necessary.
- Click on “Add Data Silos”
- Find the integration that you would like to add, or add custom ones by clicking on “+ Add Custom Silo” and provide titles and descriptions.
- Click “Save” to save your new custom silos, and edit them on the Data Silos table if necessary.
- If you are a Structured Discovery customer, run discovery on supported silos to retrieve information on the datapoints within them.
- You can add RegEx rules for custom categories detection if applicable.
- If you are an Assessments customer, run Assessments to collect the missing information about each system from their owners.
Tip: While gathering data, pay special attention to the fields identified as being required in your ROPA. You can customize your Assessment templates around your needs.
- Once your assessments are complete, you can fill out the information retrieved in the appropriate rows of the inventory.
- Once you are happy with the information in your inventory, you will be able to create your report. To do so, navigate to Data Reports and click on “New Data Report”.
- Select a name for your report and click "next". Select all the tables that have information you’d like to add to your ROPA. You will still have the option to filter down the tables and fields you would like present in your ROPA.
- Many customers select “Data Categories”, “Purposes of Processing”, and “Data Silos” tables for their reports. These views include information that will likely meet the requirements of most customers’ data report needs -including ROPAs.
- Click “Next”, and you’ll be able to apply filters on the table to only show what you want to include in the report. You can click on “Columns” to further refine the table by selecting only the fields you want present in your ROPA.
- Continue this process until you have refined each table according to your needs. Once finished, you will see the tables that you selected have been exported, and how many records were included.
- Click “Download Data Report” to start downloading a ZIP file containing all the CSVs for each table. Click on “Save and Exit” to save this set of filters for future exports.
- You have now downloaded all the information required to run a ROPA! Review each file to ensure they meet your expectations, and decide how to customize it further.
Please note that each table represents a different abstraction level of the data within your systems, so consolidating the exports into a single file is not possible.
Now that you have run and saved your report, you can re-run the same report by clicking on the relevant row under “Export Settings” and re-running the report. This will pull-in the latest information from your inventory before providing you with an export of it.