New RoPA guidance published by the Data Protection Commission Ireland

New RoPA guidance published by the Data Protection Commission Ireland

The Data Protection Commission – the Irish supervisory authority for the General Data Protection Regulation (GDPR) – recently published a new guidance note on records of processing activities under Article 30 of the GDPR (RoPA).

The new guidance serves as a helpful tool for any organisation required to maintain RoPA. It includes not only a list of ‘dos and don’ts’ organisations can refer to when preparing and maintaining their RoPA, but also two templates in a spreadsheet format.

Moreover, the guidance alerts organisations to practices they should refrain from, including where the RoPA contains insufficient details – such as hyperlinked documents rather than listing information (as required) – that may later not be accessible to the supervisory authority.

As mentioned in the guidance itself, well maintained RoPA serve as a measure to demonstrate the organisation’s compliance and is one of the means by which data controllers can demonstrate and implement the principle of accountability set out in Article 5(2) GDPR.

The new guidance was announced by the DPC’s deputy commissioner on 19 April 2023 and can be found here.

The guidance is particularly helpful for organisations that are required to appoint an Article 27 representative under GDPR and/or UK GDPR. The EU and UK representatives serve as a point of contact for data subjects and supervisory authorities on behalf of organisations not established in the EU and/or the UK, but are doing business with EU and UK clients. As part of their duties, EU and UK representatives are tasked with holding organisations’ RoPA securely. The responsibility for having RoPA in place, however, stays with the organisation.

Unsure if you are required to appoint an EU and/or a UK representative? No need to worry! Just use our self-assessment tool to find out or get in touch. We’d be delighted to assist.

Founded by legal and data protection experts recognised by the world’s largest global information privacy community, Willans Data Protection Services provides organisations operating on a multi-national basis with EU and UK Representative solutions, Data Protection Officer services and training solutions under the GDPR.

Through its affiliation with UK law firm Willans LLP, it also provides organisations with wider advisory services concerning GDPR compliance such as GDPR audits, drafting policies, preparing legal documentation and bespoke legal advice.

Contact us for all things concerning data protection.