Your Record of Processing Activities

A Record of Processing Activities (or ROPA or "Article 30 report") is required under Article 30 of Europe's General Data Protection Regulation (GDPR). Data controllers and data processors must maintain an overview of all data processing activities. Each processing activity should include information about the purpose of processing, the categories of personal data processed, the categories of data subjects, any data transfers to third countries or international organizations, information about how long the data is retained, and a description of security measures (more on that below!).

This can be hard because teams frequently add or change their data systems. Often, no single person has a consistent, accurate, or comprehensive understanding of the company's data systems, data categories, and purposes or processing. Producing a ROPA for regulators can become a significant resource drain, delaying reports and risking non-compliance.

With Transcend Data Mapping, you have a live-updated ROPA, which is kept in sync with changes to your company's tech stack, ensuring your Record of Processing Activities is always accurate and ready at any time to be exported. A live-updated ROPA is possible because Transcend Data Mapping sources information directly from base-truth: your data systems. By continuously monitoring your data systems, Transcend has a live, system-level representation of all data in your business. This system-level representation is displayed in your Data Inventory.

A Record of Processing Activities in Transcend Data Mapping

If you're a first-time user, Transcend will prompt you to run a 30–45 second scan on your website to identify data systems on your website. This is a great starting point—we'll automatically detect your analytics and advertising technologies and load them into your ROPA to get you started.

Site Scan. In order to ensure the most up-to-date information is being used, let's start with a fresh scan of your site. It should take about 30-45 seconds.

You can also uncover additional data silos by connecting plugins like Okta or Segment, which monitor for new data silos.

In the Admin Dashboard, under Data Mapping, click ROPA. From here, you will see all records of processing activities.

Your records will have the following fields:

  • Data Category: a category describing what type of data you're collecting (e.g., credit card data would be Financial, and phone numbers would be Contact information).
  • Purpose of Processing: a category describing why you collect this data (e.g., Contact information may be used for Marketing purposes).

The above are the only required fields. We require that each record contains a 1-to-1 combination of Data Category and Purpose of Processing. If you have multiple Data Categories used for the same Purpose of Processing (or vice-versa), you should create separate records for these combinations.

The remaining fields are recommended:

  • Data Subjects: who this data relates to (e.g., customers, employees).
  • Recipients Categories: categories describing who you share this data with (e.g., Hosting providers, Email Marketing tools).
  • Joint Controllers: if you jointly control this data with a third party, you can list them in your ROPA.
  • Third Countries / Organizations: if you transfer this data outside the EU to a third country or international organization, you can list them in your ROPA.
  • Owner: If you would like to assign this record to an owner, you can select a Transcend user or enter an email address, which will invite them to Transcend. This field is not required in your ROPA, but it can be useful for internal purposes.
  • Notes: any additional information you would like to add. This field is not required in your ROPA, but it can be useful for internal purposes.

Each record of a processing activity is either a derived record or a manually created records.

In your ROPA, derived records are created from your data silos (such as SaaS tools and databases) and the datapoints within those data silos. Data silos and datapoints are displayed in the Data Inventory under the Data Silos and Datapoints tabs.

The datapoints for the payment processor, Chargebee.

Transcend has pre-built mappings of the datapoints inside many SaaS tools. Each datapoint is mapped to a Data Category and Purpose of Processing. You'll likely see this data initially auto-populated in your ROPA. If necessary, you can override these labels in your Data Inventory.

You can edit each record's data retention type, retention period, and other relevant notes directly inline.

For derived records, the "Source" column displays the data silos that provide evidence for this processing activity.

The data silos providing evidence for this processing activity.

Since Transcend derives your processing activities from the system-level base truth (your Data Inventory), derived records will have a lock icon on the Data Category and Purpose of Processing, and these fields cannot be edited directly. Instead, you should inspect these fields at the system level within your Data Inventory, and if necessary, you can override these labels.

For example, let's take the above processing activity and inspect the system-level information. In the Datapoints tab of the Data Inventory, you can filter by Data Category and Purpose of Processing. We can inspect all Financial datapoints used to provide a Basic Service or Feature.

All financial data used to provide a basic service of feature.

All manually created records can be edited inline.

To manually create a record of a processing activity, click "Add Record". A dialog box will open, asking you to enter the information described in Step 2. Only Data Category and Purpose of Processing are required fields.

In order to add Joint Controllers or Third Countries / Organizations, you need to first register them in their respective tabs ("Joint Controllers" and "Third Countries / Organizations"). These fields are optional, so you can always create the record and add them later. This will be covered in the next step!

If you have records that require a Joint Controller or a Third Country/Organization, first make sure that they're registered in their respective tab.

For example, go to the Joint Controllers tab, click "Add Joint Controller", and fill out the required information.

Add a new Joint Controller

You can now add that Joint Controller to records in your ROPA by editing them inline.

Depending on how your organization is set up, which teams can stand up new systems, or how often these systems and datapoints change, building and maintaining an accurate, up-to-date ROPA can be a challenge. Transcend includes intuitive collaboration tools so that you can leverage cross-functional teammates to update and own different sections of your ROPA.

Under "All Records", each data record has an Owner column. Use this dropdown to select a teammate who should be the primary system owner. Existing Transcend users will automatically appear in this dropdown menu. You can also type in an email to invite a new user to your Transcend account.

Screen Shot 2022-04-18 at 4 57 08 PM

Your teammate will receive an automated email from Transcend, informing them that they are the owner of a specific data record(s) and prompting them to log in and make any appropriate edits.

Regulators or other external needs may require you to have your ROPA as a static deliverable. With Transcend, easily export your ROPA by selecting Export to CSV from the top right. This will download a CSV file with your entire ROPA, including:

  • ROPA Item ID (Transcend identifier)
  • Data Category
  • Processing Purpose
  • Data Subjects
  • Owners (will populate owner email addresses)
  • Underlying System Owners (will populate owner email addresses)
  • Transcend Derived (True/False)
  • Joint Controllers (if applicable)
  • Third Countries/Orgs (if applicable)
  • Retention Type (if applicable, otherwise is noted as Unspecified)
  • Retention Period
  • Notes