← Back to Glossary


Record of Processing Activities

What is Record of Processing Activities (RoPA)?

A RoPA is a comprehensive overview of an organization's personal data processing activities and the most important related details.

Also known as a data inventory, a RoPA supports business record-keeping efforts to promote accountability for complying with the GDPR and other privacy laws and regulations. When preparing the RoPA, you will be answering two critical questions: What personal data does your organization hold and where?

Why do companies need to keep RoPA?

To Assure the GDPR Compliance

To be compliant with the GDPR, the controller or processor should maintain records of processing activities under its responsibility. (GDPR Article 30) Article 30 requires businesses to keep "records of processing activities," which will allow regulators to see if organizations are in compliance with GDPR. Each controller and processor is required to cooperate with the supervisory authority and make those records available to it upon request so that it can monitor those processing operations.

Do I need a RoPA?

You must maintain RoPA if:

  1. Your company has 250 or more employees.
  2. Processing personal data is likely to risk the rights and freedoms of data subjects, (Example: video surveillance, a processing activity that can create discrimination, identity theft or fraud, financial loss, significant economic or social disadvantage.)
  3. Processing is not occasional (one-time marketing campaign);
  4. Processing includes special categories of data (health, racial or ethnic origin, etc.) or
  5. Processing of data relating to criminal convictions and offences.

Important Insight: Many businesses believe they do not require RoPA because they have fewer than 250 employees. However, this is not the only criterion.

If you process personal data on a non-occasional basis, which is usually the case, you should have a RoPA in place for those activities. For example, suppose you regularly manage salaries, clients, suppliers, or other personal information to provide your service. In that case, you will require a RoPA because these are non-occasional processing activities.

Key Requirements

If you are a controller–if you decide on the purposes and means of processing–you must include those details in RoPA:

  • Name and Contact details of your organization, data processor, data controller’s representative, joint controller, and data protection officer (DPO), if applicable;
  • Purpose of the processing.
  • Description of categories of data subjects and categories of personal data.
  • Categories of recipients.
  • Third parties which receive the personal data if applicable and suitable safeguards utilized;
  • Retention schedule for each category of personal data if possible.
  • Description of technical and organizational security measures (TOMs).

If you are a processor–if you act on behalf of the controller and process personal data:

  • Name and contact details of your organization, controller on whose behalf you are acting, data protection officer or representative if applicable.
  • Categories of processing you conduct or carry out on behalf of each controller.
  • Name of third country or organization that you transfer personal data to if applicable and suitable safeguards utilized.
  • Description of technical and organizational security measure (TOMs).

A Healthy Practice of a RoPA

1. Audit of all available personal data

A good idea when starting with a RoPA is to do an information audit of information to clarify what personal data the company holds, where, and how it processes it.

2. Documentation of activities

You should keep records in written and electronic form. It is also essential to do it in a structured and meaningful way. Moreover, if the records must be kept, they should be stored in a centralized way.

3. A RoPA must represent the current situation

Of your data processing activities, so it needs to be updated regularly when you start doing a new processing or change existing processing activities.

As we previously stated, you require RoPA to understand what personal data you process and where you keep it.

It is the fundamental document that will demonstrate to supervisory authorities that you are processing personal data responsibly and, if done correctly, will keep you out of further investigations. Your company must have a formal, documented, comprehensive, and accurate ROPA that is based on a data mapping exercise that is reviewed on a regular basis.

A well-prepared RoPA not only satisfies GDPR requirements and is critical for your data governance activities, but it is also an important document for fostering trust and confidence among stakeholders. It will prepare you for unexpected privacy issues and protect you from reputational damage, enforcement actions, and hefty fines.

Try to create your RoPA

You can find some sample templates shared by some data protection supervisory authorities at the link below. If you have a small business, you can easily incorporate them and build your RoPA.

RoPA Templates shared by the French data protection authority (CNIL) and the UK data protection authority (ICO):

Record of processing activities Template - CNIL

Documentation template for controllers - ICO

Documentation template for processors - ICO

Scale Privacy Programs without the Pain

Try Privado's privacy code scanning solution.