Skip to main content

RoPA Management

DataGrail offers a streamlined and guided experience for creating and maintaining an up-to-date Record of Processing Activity (RoPA).

RoPAs are managed at the Processing Activity level, allowing your team to easily manage RoPAs across multiple systems in your organization that are assigned to a given Processing Activity.

This document describes how RoPAs are created, reviewed, exported, and maintained.

Every Processing Activity in your account will automatically be associated with a RoPA when created. To access a RoPA:

  1. Navigate to the Processing Activities page.
  2. Select the relevant Processing Activity.
  3. Select the RoPA tab from the top menu.

Navigating to RoPA Page

Populating RoPA Details

To guide you towards completing all required RoPA fields, you will see a progress indicator in each section of your RoPA. If all required fields in a section have been filled out, you will see a green checkmark. Otherwise, you will see an Incomplete Data icon.

Editing RoPA Data

RoPA data can be filled out in three ways:

  1. Automatically through DataGrail’s Intelligence Library: DataGrail pre-fills critical information on systems, such as the personal data categories it likely processes, and whether there is potential for AI usage within the tool.
  2. Automatically through completed System Profiles: If you've made any edits to your System Profiles, the most recent data in the System Overview will additionally be used to pre-fill any corresponding RoPA fields.
  3. Manually through the RoPA editor: The RoPA view allows DataGrail users to fill in details manually at the RoPA level.

Data from DataGrail’s Intelligence Library will not be considered for a given system if it has been manually populated by your team. RoPA fields that have been populated automatically will show a Pre-Filled icon.

Best Practice

Leverage the AI-generated system data by adding relevant systems to your processing activities. Always review this information against your company's unique use cases and policies to make the final legal calls. After your review, simply complete any remaining fields or use 'N/A' if a question doesn't apply.

Inviting Contributors

A comprehensive RoPA requires input from across your organization. To make this collaboration simple and secure, you can invite contributors to provide their expertise on specific processing activities.

Contributor access is secure by design. It is temporary and limited only to the activities you share, ensuring stakeholders can provide necessary details without granting them full access to your privacy program.

When in edit state, you will see a button to Add Contributors and can invite individuals to see, edit and review the specific RoPA report that you have shared with them.

Invite Contributors

Export a RoPA

A RoPA is a living document. DataGrail continuously monitors for new systems and new data categories, helping you keep your RoPA up-to-date as your organization evolves.

Before exporting a RoPA, ensure the following:

  • A Data Protection Officer or Representative has been assigned in Settings -> Reporting Contacts.
  • All of your Processing Activities have complete RoPA data, with no missing mandatory fields.
  • All Processing Activities have been reviewed and updated recently (we recommend a review at least every 180 days).

To download your RoPA, just select Download RoPA from the Processing Activities page. The CSV export offers the flexibility to fine-tune formatting and meet your specific reporting needs.

The RoPA CSV will export all Processing Activities that you have in your Processing Activity table, along with the associated systems and the details in each Processing Activities RoPA tab.

Ensuring Long-Term Compliance

To ensure that your RoPA is audit-ready, DataGrail will alert you to Processing Activities that have incomplete RoPA data and that have not been reviewed in over 180 days.

Suggested Filters

Segment your Processing Activities by the ones that need your attention using the following filters on the Processing Activities page:

  • RoPA Data: Show Incomplete Data - Use this filter to isolate Processing Activities with missing fields, based on Article 30 requirements.
  • Last Updated: 180 days ago - Use this filter to isolate all Processing Activities that haven't been reviewed for at last 180 days.

 

Need help?
If you have any questions, please reach out to your dedicated Account Manager or contact us at support@datagrail.io.

Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.