If you have "purpose" as a drop down list in your ROPA or Data Mapping, you may well be heading in the wrong direction of compliance.
It's always good to try to control and uniform information within our systems; from a GDPR & software development perspective it’s how we can predict what information will be entered and how we can risk assess and classify fields. Nothing grates more than looking down the columns of a spreadsheet (or system) and seeing variations of the same data. However there is one area that has little or no place for a drop down list…
And that is the section that holds "Purpose" for collecting, transmitting and processing data. I am not a Solicitor. I am a Solutions Analyst who has lived and breathed data protection for decades - working primarily on the operational side of Data Protection. I work with various organisations focusing on the implementation of software, data mapping and helping businesses align GDPR with their existing processes. I have seen numerous spreadsheets and systems that capture information around processing activities and they all seem to make the same assumption around "purpose" that is generalised and often in the form of a drop down list.
Deciding the purpose of data within an existing process that's been in place for some time can be one of the most difficult to articulate as it's not always obvious. However, if you can't document it properly how will you let people know the purpose data is being used for?
Entering "business purposes" or "HR purposes" may fit nicely into your spreadsheet or GDPR compliance system, however this is far too general to let you or the individual know the actual purpose their data is being processed. The less information you have in there, the higher the risk of non- compliance.
Here is a good example of a purpose that will be relevant to some businesses:
Sales Enquiry & Customer Service handling via written, telephone, email and/or live chat.
To respond, provide support, make assessments and recommendations around products and services we provide. Provide reporting statistical analysis for staffing levels, identify customer trends and measuring effectiveness of marketing campaigns. Service quality, improvements & identify training requirements.
It may not look so pretty in your excel spreadsheet, but is much more effective in terms of compliance.