A Record of Processing Activities (RoPA) is the central accountability document required by Article 30 of the GDPR. Controllers must maintain a written record of all personal data processing activities carried out under their responsibility. Processors must maintain a similar record of all categories of processing activities carried out on behalf of a controller. The RoPA is not a public document; it is an internal accountability record that must be made available to the supervisory authority on request and that underpins a wide range of other GDPR compliance obligations.
The requirement applies to all controllers and processors with 250 or more employees. Organisations with fewer than 250 employees are also required to maintain a RoPA if their processing is likely to result in a risk to the rights and freedoms of data subjects, if the processing is not occasional, or if the processing includes special categories of data or data relating to criminal convictions and offences. In practice, the exemption for small organisations is narrow: most organisations that process personal data regularly (including employee data, customer data, and marketing data) will need to maintain a RoPA regardless of size.
Article 30(1) specifies the mandatory contents of a controller's RoPA. For each processing activity, the record must include the name and contact details of the controller and, where applicable, the joint controller, the controller's representative, and the Data Protection Officer; the purposes of the processing; a description of the categories of data subjects and the categories of personal data; the categories of recipients to whom the data has been or will be disclosed, including recipients in third countries or international organisations; information about transfers to third countries, including the identification of the transfer mechanism relied upon; and, where possible, the envisaged time limits for erasure and a general description of technical and organisational security measures.
For each processing activity, the retention period and the legal basis should also be documented, even though these are not expressly listed in Article 30. Supervisory authorities expect to find this information in the RoPA, and its absence is regularly cited in inspections as an accountability gap. The security measures description should be specific enough to be meaningful: the record should identify the specific measures in place rather than simply referencing "appropriate technical and organisational measures."
Building a RoPA requires a systematic audit of all processing activities across the organisation. This is typically conducted through a combination of interviews with process owners, review of existing documentation (IT systems inventories, data flow diagrams, vendor contracts), and a structured questionnaire covering each business function. The audit should identify every category of personal data processed, the systems in which it is held, the departments and individuals who have access, the retention periods, and the third parties (processors and joint controllers) involved.
A RoPA that is built once and not maintained quickly becomes outdated. As organisations introduce new systems, launch new products, change vendors, or enter new markets, the processing activities change and the RoPA must be updated. The RoPA maintenance process should be integrated into the organisation's change management and vendor onboarding procedures so that new processing activities are captured before they commence, not discovered retrospectively in an audit.
The RoPA must be sufficiently detailed to demonstrate accountability. A single-line entry for "marketing" is not sufficient: the RoPA should identify the specific marketing activities, the categories of data subjects (prospects, customers, newsletter subscribers), the categories of data (name, email, behavioural data from cookies), the retention period for each, the legal basis, and the processors involved. The level of granularity should reflect the complexity and risk of the processing: high-risk activities involving sensitive data require more detailed entries than routine, low-risk activities.
There is no prescribed format for the RoPA under the GDPR. Many supervisory authorities, including Belgium's GBA/APD, publish guidance templates, and a range of commercial GDPR management tools provide structured RoPA modules. The format must be in writing (which includes electronic form) and must cover the mandatory content elements. A well-structured spreadsheet is an acceptable format for smaller organisations; larger organisations with complex processing landscapes typically use specialist data governance tools that can link the RoPA to DPIAs, vendor registers, and privacy notices.
A RoPA is a comprehensive record of all processing activities, required for essentially all organisations. A DPIA (Data Protection Impact Assessment) is a deeper risk assessment required only for processing activities that are likely to result in a high risk to data subjects, for example, systematic profiling, large-scale processing of sensitive data, or systematic monitoring of publicly accessible areas. The RoPA identifies which processing activities exist; the DPIA analyses the risk of specific high-risk activities and documents the measures taken to mitigate that risk. The RoPA should flag which activities have been subject to a DPIA and cross-reference the DPIA documentation.
%402x.svg){kind=icon}
%402x.svg){kind=small}
%402x.svg){kind=icon}
