Yup, you heard right – the Protection of Personal Information Act 4 of 2013 is couched in a manner that allows the Regulator to assume you are non-compliant and ask you to submit evidence to prove otherwise.
Where will they start? Documentary evidence.
Documentary evidence usually presents itself in the form of policies, procedures, breach records and assessments.
But, if we were working for the Regulator we’d start by calling for your Record of Processing Activities (“the RoPA”).
What is a RoPA?
The RoPA is an internal written description of your company’s processing activities (i.e. each task involving personal data). Each activity is listed under its respective department (like HR, Sales or Payroll) in a table format and lists (among other things) the types of data you collect when performing each activity. It is more than an inventory of your data types – the ROPA will also provide an overview of why you are collecting the data, what legal basis do you rely on to collect it, where is it kept, with whom is it shared, how do you protect it and more.
Why is it important?
Think of it as an internal dashboard for your data, processing and suppliers. It is probably the strongest documentary evidence through which you can prove compliance.
If your RoPA is completed accurately, you’re able to identify your various risks and ask the right questions. It’s in your best interest from both a compliance oversight and audit perspective.
Like – Am I collecting data I don’t need? Do I need their consent, or can I rely on my company’s legitimate interest? Have I got controls in place (including with my suppliers) that will adequately protect the data? How long do I keep it for? Is the server overseas?
Completing the RoPA is a good opportunity for your information officer to understand the data flow in your company. It also allows you to make strategy decisions that could either increase or decrease your compliance burden. Sometimes it’s as easy as switching a system – like us – from MailChimp (USA) to Mailerlite (GDPR). Other times your particular activity might present risks that require further steps be taken. In these higher risk cases, you’ll need to perform an impact assessment on the specific activity to justify why you think you should be entitled to continue doing it and how you plan to mitigate any risks . In very high risk cases, you should probably get a legal opinion to further justify conclusions in the impact assessment – this is usually where you’re not sure if you’re allowed to collect or use the data to begin with, or are worried about transfers to overseas countries.
How do I complete a RoPA?
Your Information Officer should project manage the process. Be warned, it can take up a lot of time and resources.
Good practice is to complete the RoPA in consultation with every internal department and key stakeholder. I find it easier to have a face-to-face discussion for the 1st time round to be able to explain and ask the right questions as they come up, others may find that circulating a questionnaire by email will work just as well.
The idea is for each department/stakeholder to answer questions as to what types of data they collect or hold, how they do so, why they do so, for how long, with whom they share it with (internally or externally), how its protected, and more.
A RoPA is not a once off activity – it needs to be a living document reflecting your current practices. For example, if you change payroll providers, this must reflect in the RoPA.
How regularly? Well… it depends (classic lawyer’s answer – I know…).
If your company’s operations are fairly simple with few changes to data and suppliers, then at least annually. But always have an ear to the ground – especially with suppliers, new systems or technology, or activities – if they notify you that they are moving their servers (holding your data) to another country, this could very well affect your compliance status and you need to do a little digging to assess your risk.
How can we support you?
Luckily, we have the experience and expertise in performing impact assessments and (where necessary) legal opinions on a range of processing activities covered by POPIA. If you don’t have the time or resources, we can also run the RoPA programme for you at either a once-off or monthly fee.
If you have completed your RoPA but would like our legal assurance in analysing the information gathered by you or need help picking and addressing the red flags in the RoPA – please get in touch.
If you’re still reading this and would like a template of a RoPA to complete, please email mitch@brooksandcompany.co.za