Creating a RoPA

The Records of Processing Activities (RoPA) feature in Kertos is designed to help you manage and document the processing activities of your organization in compliance with data protection regulations, such as the GDPR. It enables you to create, track, and manage all records related to data processing in an organized and automated manner.

 

Processing activities explained

Processing activities are the core units in RoPA that represent various actions your organization performs related to data. These activities must be documented to ensure compliance with regulations like GDPR.

Why Track Processing Activities?

  • To demonstrate compliance with data protection regulations.
  • To have clear visibility over all data processes within your organization.
  • To track who is responsible for the activities, the associated data, and the purpose of each process.

 

There are three Different Statuses in Kertos:

  • Discovered
  • These activities are identified through the automatic discovery process in Kertos. They represent data activities detected from the connected systems but haven’t been reviewed or activated by a user yet. Discovered activities remain in draft mode until validated.
  • Draft
  • Processing activities that are either manually created or imported from the catalog but have not yet been marked as active. Drafts are a work in progress, where more details can be added before they go live.
  • Active
  • Active processing activities are fully documented and confirmed by a user. These activities are operational and are tracked within the system. Once a processing activity is set to active, it is considered as part of your compliance tracking and auditing processes.

 

 

RoPA dashboard overview

The RoPA dashboard provides a comprehensive list of all processing activities. It includes several columns:

  • Name: The name of the processing activity.
  • Status: The current status (Discovered, Draft, or Active).
  • Owner: The person responsible for the activity.
  • Department: The department associated with the activity.
  • Related Data Sources: Any data sources related to the processing activity.

 

 

 

RoPA detail view

Once a processing activity is created, the Detail View allows you to refine, document, and manage specific aspects of that activity, ensuring that all the necessary information is included for compliance and audit purposes. Below are the different sections available in the detail view and how to fill them out.

 

General

 

  • Name: This should clearly describe the processing activity (e.g., “Email Delivery”).
  • Description: Provide a brief description of what the activity entails (e.g., "This activity handles the process of delivering information to users via email").
  • Legal Entities: Specify the legal entity responsible for the processing activity (e.g., Kertos GmbH).
  • Owner: Assign an individual responsible for managing the processing activity.
  • Department: Link the activity to the relevant department overseeing the process.
  • Created/Updated At: These fields display the date and time the activity was created and last updated.

 

 

 

 

Data Processing

 

The Data Processing section allows you to document the following:

  • Relevant Data Sources: Identify and link any data sources that are part of this processing activity. These could be automated sources, such as Mixpanel, as seen in the screenshot.
  • Processed Data Subject Types: Specify which types of data subjects (e.g., employees, customers) are impacted by this activity.
  • Processed Data Classes: Define the types of data being processed in this activity (e.g., City, Country, Address, Gender).

 

 

Data Recipients

In this section, you can add internal or external data recipients who will have access to the data being processed:

  • Internal Recipients: Individuals or departments within your organization who are recipients of the processed data.
  • External Recipients: External entities, partners, or vendors who receive the data. You can specify whether the recipient is internal or external by toggling the appropriate buttons and adding their details.

 

 

 

 

Legal Information

The Legal section allows you to document the legal grounds for processing:

  • Purpose of Processing: Clearly define the reason for this activity (e.g., "Providing users with information").
  • Legal Bases: Select the legal basis for the processing activity (e.g., Standard Contractual Clauses - SCCs). If you select a legal basis under Article 9 of the GDPR, you will need to specify a corresponding legal basis under Article 6.
  • Automated Decisions: Indicate whether automated decisions are made as part of this activity.

 

 

Data Retention

In the Data Retention section, you can set the retention period for the data being processed:

  • Retention Period: Define how long the data will be stored (e.g., 5 years).
  • Data Erasure: Describe how the data will be erased once the retention period has expired

 

 

Adding processing activities from the catalog

Kertos provides an extensive Catalog of predefined processing activity templates to help you quickly add common processing activities relevant to their organization.

 

1. From the RoPA dashboard, click on the Catalogue button at the top right.

You will be directed to the Catalog screen, where a list of predefined processing activities is available for selection.

2. Select a Template: Check the box next to the processing activity template you wish to add.

3. Click Import Selected.

 

 

 

Adding processing activities manually

Alternatively, you can add a new processing activity manually:

1. Click “Add Activity” in the top right corner.

2. Fill out the information as described in the detail view section.

 

Editing and Managing Processing Activities

 

Editing a Processing Activity

1. Navigate to the RoPA dashboard and click on the processing activity you wish to edit.

2. In the detail view, you can update any of the sections mentioned above by clicking on the relevant fields and saving the changes.

Changes will be tracked, and the Updated At timestamp will reflect the latest modifications.

3. Once you have entered and, if applicable, reviewed the activities you created, you can set them to active. For that, select the according activities and click "set to active".

 

 

Exporting the RoPA

You can export the data from the detail view of a processing activity or from the RoPA dashboard for external use, such as audits or internal reviews. Follow these steps to export:

1. Export from Dashboard View:  

2. In the RoPA dashboard, click on the Export button at the top right.

3. Select the format you wish to export (e.g., Excel, PDF).

Was this article helpful?