Configure RoPA Attributes
The Configure RoPA Attributes allows administrators to define and manage the dropdown fields used in Records of Processing Activities (RoPA). This includes configuring sections such as Group, Customers, etc. Administrators can add new fields, edit existing ones, or remove unused fields to ensure the RoPA forms align with organizational needs.
The Edit Action Item allows administrators to add new fields, modify existing ones, or remove unused fields within the Records of Processing Activities (RoPA) configuration.
Add Processing Activity
To add a processing activity, click on the + Add icon on the main page of Processing Activities, and the Add Processing Activity pop-up window will appear.
While adding a Processing Activity, the process is automatically organized into important sections, and detailed information is provided on the Processing Activity Summary page.
Processing Activity Name: Enter the name of the processing activity to curate information related to activities in progress or completed within the organization.
Start date and End Date: Specify the start date of the processing activity. If the end date is unknown or ongoing, leave the field blank or select the "Indefinite" option.
Description: Enter the purpose, scope, and key findings of the processing activity.
Process Owners: The Process Owners segment defines roles like Group, Processor, Controller, Owner, and Compliance Officer, establishing a transparent chain of responsibility.
The names of the governance roles can be modified via Security > Governance roles.
The values in the Group can be configured from the backend.
Data Subjects: Data subjects are the ones whose private data is maintained.
Data Processing: The Data Processing section includes critical elements like source, collection points, automated decision-making (based on data collected, is there any automation involved internally in the organization), lawful processing criteria, and the systems employed, ensuring a transparent workflow.
Data Storage: In the Data Storage segment, we mention manual/physical and electronic storage options alongside retention periods and disposal methods, emphasizing security and compliance.
Data Sharing: Data sharing in GDPR refers to transferring or disclosing personal data to third parties, subject to legal basis and appropriate safeguards, while ensuring compliance with data protection principles.
Risk and Security: Lastly, the Risk and Security section incorporates risk classification and security controls, ensuring robust protection measures are in place.
Access Processing Activity
Processing Activity Summary
On the Processing Activity main page, clicking the Processing Activity name link displays the processing activity summary. It offers a comprehensive snapshot of essential information related to the processing activity and its associated data objects. It includes the activity description, custom fields, PII terms, data subject categories, top users' engagement, update history, and important dates such as creation and modification. This summary offers a concise overview of the critical details of the processing activity.
Description: This summary offers a high-level understanding of the processing activity's purpose, scope, and main findings. The process owner creates it manually.
Personal Data: This displays PII terms associated with the processing activity.
Process Owners: Process owners are individuals or groups responsible for creating the processing activity.
Data Subjects: This includes fields for Customers (Corporate/External/NA), Employees (Applicant/Active/Resigned/NA), Others (External Parties/Internal Parties/NA) and Interns (External/Internal/NA). This approach enhances transparency in understanding the diverse individuals impacted by processing activities, promotes responsible data stewardship, and ensures compliance with privacy regulations.
Data Storage: The Processing Activity Summary Page details data storage methods, including manual, physical, or electronic means, and highlights security measures such as masking. The page also emphasises responsible data management, describing how data is deleted (using methods like Electronic Erasure) and kept for a specific period, for example, 80 days (The timeframe can be adjusted).
Method of Storage: Indicates how the data is stored.
Storage System: Specifies where the data collected for the processing activity is stored.
Security Control: Describes the security measures in place to protect the data.
If "Specify Others" is selected, enter a custom security control value in the input field.
Disposal Method: Explains how the collected data will be disposed of after use.
Retention Period: Specifies how long the data collected for the processing activity will be retained.
Data Processing: The Data Processing section collects and stores information about the Source from which the processing activity data is collected. Collection points are nothing but the way the data is collected. They can be Forms, Websites, and Office forms. If "Specify Others" is selected under Collection Point Parties, a text box appears to enter custom values for Other Collection Point Parties. Automated decision-making describes whether the decision on the processing activity is made automatically or manually. Lawful Criteria describes which criteria are used to meet the compliance requirements while creating a processing activity. Depending on the organization, the processing system can be automatic or manual.
Data Sharing: Data Sharing explains private data sharing among users. It differentiates between people within the organization and those outside of it. It also mentions how the data is shared, like through Application Programming Interfaces, and whether it is transferred to other countries. If data is transferred to another country, the country field must be filled in, and a Security Controls section appears to define measures such as password protection. It clearly shows who can access the data and how it's shared internationally. The user enters the information manually.
Risk & Security: This classification explains the risk level linked to processing activities. It helps organisations implement specific security measures and compliance strategies to reduce potential vulnerabilities effectively. The risk levels are High, Low, and Medium.
Status: A newly created processing activity stays in draft status. It can be saved for review and collaboration before final submission. To publish, send a request. The activity is published after stakeholder approval. The status appears as either Draft or Published.
Once a RoPA Processing Activity is published, it can be moved back to Draft for further edits, reviews, or corrections.
RoPA Contributors and Governance Roles can move published reports back to Draft status.
History: Displays the record of status changes made to the respective Processing Activity.
Top Users: The Processing Activity Summary Page identifies the primary users involved in these activities, indicating their level of engagement and responsibility for data management. It helps organizations follow the rules and builds trust in data handling.
A snapshot of a Processing Activity Summary is provided below for your reference.
Associate Data to Processing Activity
The Associated Data section displays various data objects, including Databases, Tables, Table Columns, Files, File Columns, Reports, Report Columns, and Codes. These objects are associated with the configured PII Terms in the Processing Activity. When the same PII Term is linked to data objects such as schema, tables, table columns, etc., those objects are displayed in respective tabs categorized by the Term name.
The list view offers detailed information about data objects based on the selected object type.
Example:
Suppose a PII Term called "Email Address" is configured in the Processing Activity. If the "Email Address" term is associated with a table column named "User_Email" in the "User" table and a report column named "Contact_Email" in a report, these objects will be displayed in their respective tabs under the "Email Address" term.
In this scenario, navigate to the "User_Email" table column or the "Contact_Email" report column, view their summaries, and access the business glossary term summary by clicking on the "Email Address" term. The "Table Columns" tab will show the count of table columns associated with the "Email Address" term, including the "User_Email" column. Similarly, the "Report Columns" tab will display the count of report columns associated with the term.
Additional Operation on Activity
The additional operations that can be performed on the Processing Activity include the following:
Adding/Removing Processing Activity from the Watchlist: Allows adding or removing the selected Processing Activity from the Watchlist.
Downloading a Processing Activity: This option allows downloading the selected Processing Activity in a list view. For example, download and share the processing activity with compliance officers as proof.
Editing a Processing Activity: Use the 9-Dots menu to modify an existing Processing Activity from either the details page or the individual summary page.
Updating Governance Roles: Update Governance Roles such as Owner, Steward, Custodian, and custom roles (if configured). Assign roles by selecting members from the drop-down list.
Configure Search Keywords: Add search keywords to Processing Activities to improve searchability and quickly locate relevant data.
Collaboration Message: Use the Collaboration feature to communicate and collaborate efficiently. Tag individuals or teams using the ‘@’ annotation to notify the right recipients. Supports media types such as images, URLs, and links for added context.
Copyright © 2025, OvalEdge LLC, Peachtree Corners, GA USA
Last updated
Was this helpful?