A Record of Processing Activities (RoPA) is one of the most important components of compliance and data protection efforts a business should conduct and is mandatory in many data privacy regulations, including the LGPD, GDPR, and more.
In this article, we’ll explain RoPA LGPD, including what it is, why it is important for the Brazilian data privacy law, what to include in it, and how to make a RoPA.
Let’s dive right in.
Key Takeaways
- A RoPA is a review of all data processing activities a business conducts.
- LGPD requests organizations to keep a “Processing Operation Registry” or RPA.
- There are no specific requirements for what a RoPA LGPD should include, unlike with GDPR RoPA.
What is a RoPA?
A RoPA, or Record of Processing Activities, is a review of all data processing activities a business completes.
Similarly to the EU’s GDPR, The Brazilian Lei Geral de Proteção de Dados or LGPD also requires that data controllers (businesses) keep a record of their data processing activities.
Under Chapter 6, Article 37, LGPD requests that organizations must keep a “Processing Operation Registry” or RPA:
“The controller and the operator shall keep a record of the personal data processing operations that they perform, especially when based on legitimate interest.”
Why is RoPA Important for the LGPD?
A RoPA is important for several reasons, not just for LGPD but for other similar regulations as well.
Here are some reasons why RoPA is important:
- Compliance: RoPA is legally required by several data protection regulations
- Accountability: By creating a RoPA, a business effectively demonstrates its data protection and regulatory accountability
- Transparency: Another reason to create a RoPA is to be more transparent and have a record of all data processing your business is conducting
- Risk management: By making a record of their processing activities, a business can better understand and manage risks associated with them
- Data minimization: A RoPA can also help an organization identify and eliminate any unnecessary data processing activities and assist in data minimization
- Auditing: During compliance audits and inspections, regulatory authorities may also request access to RoPA
- Third-party relationships: The information that must be included in a RoPA is that of any third parties with whom personal data is shared
- Improving data processing activities: Finally, since a RoPA serves to help ensure that a company is fulfilling its data processing requirements, it can also be used to improve upon those same activities for the future
Is a RoPA the Same Thing as Data Mapping?
Although RoPA and data mapping for LGPD are both important for data protection compliance and data management, they have different purposes.
1. Focus
Whereas RoPA is a record of how a business processes data and is often mandatory for compliance with data privacy laws, data mapping is a strategic approach that organizations undertake to manage the flow of personal data across their operations.
2. Types of Data
While RoPA deals only with how personal data is collected, used, stored, shared, and protected, data mapping can also include non-personal data.
3. Purpose
The main purpose of a RoPA is to serve as a compliance tool and help an organization meet legal requirements when it comes to data privacy and protection. On the other hand, data mapping is more of a roadmap for personal data a business owns.
What to Include in a RoPA (LGPD)?
Unlike the GDPR, which specifies the RoPA requirements in Article 30, the LGPD does not list the specific requirements for this type of record that data controllers and data processors must fulfill.
However, the Brazilian Data Protection Authority (ANPD) recently proposed a template for RoPA for small processing agents, including both data controllers and processors.
The template includes the following minimum information that should be included in a RoPA LGPD:
- Types of personal data being processed
- List of personal and sensitive personal data processed
- Purpose of processing data
- What data subjects are involved (their categories)
- Sources of personal data
- If data is shared, the name of the processing agent who receives the data
- If processing is done by other organizations (data processors) on behalf of the controller, their list
- Data retention information
- Data disposal information
- Security measures
- Third countries and international organizations for data transfers
- International data transfer safeguards
- Legal basis for data processing
How to Make a RoPA LGPD?
Creating a RoPA for LGPD can look intimidating, especially because LGPD does not detail the information that a business should include here as the GDPR does.
However, these are general guidelines to follow when creating a RoPA for LGPD:
1. Describe Your Data Processing Activities
Start by taking an inventory of all of your data processing activities. You should know where personal data is collected, used, stored, and shared.
2. Categorize the Types of Data
The next step, after identifying your data processes, is to categorize the types of data you have. This includes personal data, sensitive data, customer or employee data, and so on.
3. Categorize Your Data Subjects
In the same manner that you categorized the different data types you have, you should also categorize the data subjects whose data is being processed. For instance, your categories might be customers, website visitors, vendors, and employees.
4. Identify Your Data Sources
Next, where do you get your data for each processing activity? In other words, what are your data sources or data origins? Your data sources might come from an internal database, customer interaction channels like the website or social media, or third-party providers.
5. Classify Data Recipients
If you are sharing the data with anyone, like third-party vendors or partners, you also need to identify them, as you will be responsible for their actions related to the data they have access to.
6. Explain Your Processing Purposes
Each data processing activity you perform should have a clear purpose. This can be to promote a new service, employee payroll, CRM, or something else. But, there needs to be a good reason to collect data.
7. Specify the Legal Basis for Processing
Of course, you cannot just process someone’s personal data without having a legal basis for doing so. This can be a legitimate interest, a contractual obligation, a legal obligation, or a freely given consent. Here are some cookie consent best practices you should follow.
Keep in mind that consent and legitimate interest should follow LGPD’s articles 8 and 10.
8. Create a Visual Data Map
You should also understand how data flows throughout your organization. This is where a visual data map or diagram comes in very handy. The journey data takes from start to finish for each processing activity.
9. Specify Data Retention
How long do you retain each type of data you process? This can vary depending on your business needs, legal requirements, or the purpose of processing.
10. Detail the Security Measures
How will you protect the data you are going to process? What will be your safeguards, both on the technical and organizational level? Your security measures can include access control, multi-factor authentication, using virtual private networks (VPN), encryption tools like emails, and more.
11. Appoint a DPO
According to Article 41, LGPD requires controllers to appoint a person who will be in charge of personal data or a DPO (data protection officer). The identity and contact information of this person should be made public.
12. Make RoPA LGPD Available to the Authorities
The RoPA should be available in written or electronic form to the relevant authorities. This is in keeping up with the accountability and transparency principles of the LGPD. Furthermore, you should also make it available to shareholders who have a legitimate interest.
13. Conduct a DPIA
For high-risk data processing activities, conduct a Data Protection Impact Assessment or DPIA following LGPD Article 38.
The DPIA should include a description of the types of data you’ve collected, methods you used to collect the data, information security measures, and the data controller’s analysis of measures, safeguards, and risk mitigation mechanisms employed.
14. Update the Record
The information in the RoPA doesn’t stay the same forever. Data changes, so regularly reviewing and updating this document is vital to maintain your compliance with the LGPD.
Update your record whenever you make a change to your processing activities to keep it up-to-date. Since it’s easier to update an electronic than a paper document, we recommend using a spreadsheet or compliance software.
If this still looks daunting, you can get expert help to ensure LGPD compliance and create a RoPA for your business from Captain Compliance.
Conclusion
Creating and maintaining a RoPA LGPD is important if a business wants to be compliant with this regulation and improve its data processing activities.
Are you looking for an LGPD compliance solution? If so, Captain Compliance can be your trusted partner to meet all your compliance needs. Get in touch with us today!
FAQs
Do I need my LGPD policies in different languages?
Like all other privacy-related policies, LGPD policies must also be written in clear language that the data subject will understand.
There is no specific rule as to which languages you should use, but keeping in mind that LGPD applies to Brazilian citizens, it’s highly recommended to at least have the policies in Brazilian Portuguese.
Learn more about how to draft a small business privacy policies today.
How often do I need to update my LGPD policies?
The LGPD has no specific time frame within which you have to update your privacy policy. However, you should still review the policy periodically (at least once a year) and update it as needed.
Want to learn more about LGPD cookies? Then click here and find out.
What should a RoPA include?
Record of Processing Activities (RoPA) should include:
- Controller’s name and contact info
- Processing purpose
- Categories of personal data
- Categories of data subjects
- Categories of recipients of personal data in international organizations or third countries
- Time limits for data deletion
- Security measures.
Here are the best RoPA examples you can reference.
Is a RoPA a legal requirement?
All organizations, regardless of size, must maintain a record of processing activities unless there is an exemption in place.
Here is a detailed list of GDPR RoPA requirements that may apply to the LGPD.