Documenting a Record of Processing Activity

Working as DPO with this distributor of healthcare products and services with companies across Europe we worked on a project to meet the Article 30 requirements of the GDPR.  This was a big project taking well over 6 months.  The companies in the group operate as controller and processor across a diverse range of processing activities.  One of the more challenging aspects of this project was the processor ROPA as the companies in the group work with hundreds of controller customers.  The challenge is not just in documenting the processor ROPA but ensuring that is maintainable in an ever-changing business landscape.  The project has driven better understanding of the organisations processing activities and will help to drive compliance going forward particularly in the areas of data transfer and security.