Summer Planning – Tasks To Address This Summer

By Phil Brining

This Friday’s Lunch with the DPO session will be looking at things we should be doing during the summer.  It’s interesting how the rhythm of the calendar and seasons shape our motivations and focus in a work context.  New Years’ resolutions, spring cleans, post-summer impetus etc. 

There was talk last month on LinkedIn about life five years on since the GDPR was enacted.  Five years is a long time with regard to developing work practices, but a blink of the eye in terms of a wider context of the evolution of business culture.  Five years on, we should be in an environment of demonstrable compliance across all aspects of the GDPR and the PECR.  2016 to 2018 should have been planning, implementation and testing: 2019 and 2020 about fine-tuning and adjusting, leaving privacy professionals 2021 to sit back with a fat cigar and blow smoke rings into the sky whilst sipping pina colada on the beach!  Notwithstanding Covid disruption, there are few if any privacy professionals who have managed to get their “business as usual” operations anywhere near being demonstrably fully compliant.  All sorts of things get in the way such as budgetary pressures, business priorities, mergers and acquisitions, and even changes in the interpretation of the law.

Many of the Outsourced DPO’s clients are taking time to critically review their RoPAs and in fact we are going through this exact exercise at DPP Towers.  RoPAs are probably the most critical point of reference for data protection practitioners comprising a list of processing activities, retention rules, processors and international transfers.  Good RoPAs also contain a register of lawful grounds for processing.  But what do we mean by “going through” the RoPAs?

A RoPA audit sets out to check that the RoPA accurately reflects the actual processing activities and that the information contained in the RoPA is complete, accurate and up-to-date.  So you need a two pronged attack.  On the first hand you need to select several entries on the RoPA and then go out into the business to find the processing activities those records represent.  Then you need to check that what you find in the field as it were, is the information recorded.  On the other hand, you need to get out into the business and select some of the business operations processing personal data.  You need to immerse yourself into these activities and check that what you find is recorded on the RoPA.  It’s always fun to pick a process and follow the data through the organisation to see where it flows, how it’s handled and controlled.

If you find anomalies, it may mean that your BAU processes are not working efficiently or effectively – or it may mean that the concept of a RoPA is too rigid and more difficult to create and maintain than it seemed back when the GDPR was being drafted!  But that’s something for another day.

I’ll be interested to see what my colleagues propose as their summer lovin’ tasks on Friday’s session but for me, I’d crack on with a RoPA audit. 

If you haven’t joined one of our Friday lunchtime webex’s please get in touch with us via [email protected].  They are free, informative, and a chance to discuss data protection matters with a bunch of like-minded folks.

Contact Us

Send us a Message

Data Protection Project
GDPR Gap Analysis/Audit/Review
Outsourced Privacy Officer/DPO
Support Desk
SAR Support
Cyber Maturity Assessment
NIS Regulations
Information Governance Documentation
DataWise System

We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here

We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here

Data Protection People Limited – March 2021