What is a record of processing activities (RoPA)?
The General Data Protection Regulation (GDPR) requires organisations to maintain a record of their processing activities. Put simply, a Record of Processing Activities (or RoPA) is a structured and detailed document that describes your data processing activities. Its purpose is to show how you process and protect personal data. Therefore, it is an important tool for GDPR compliance.
First, download a free RoPA template below. Then, keep reading to see how you can use the template to create a record of processing activities for your company.
The purpose of a record of processing activities
The purpose of creating a record of processing activities or RoPA is to provide transparency and accountability for your data processing practices. Additionally, it can help you comply with other aspects of the GDPR. For example, when responding to data subject rights requests and conducting data protection impact assessments (DPIAs). What’s more, a RoPA can reduce your liability and help you respond properly in case of a data breach.
Need help managing personal data?
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
What exactly does Article 30 of the GDPR say?
Article 30 of the General Data Protection Regulation (GDPR) sets out the requirements for maintaining a record of your data processing activities. The record should include the following information:
- Company name and contact details
- DPO contact details (if you have one)
- Your purposes for processing personal data
- The categories of data subjects and the categories of personal data collected
- Categories of recipients to whom the personal data has been or will be disclosed
- Any transfers of personal data to a third country or international organisation with documentation of suitable safeguards
- The envisaged time limits for erasure for different categories of data
- A general description of technical and organisational security measures in place
This record of processing activities must be in writing, and be available in electronic form. Moreover, you must be ready to provide it to the supervisory authority upon request.
Stop the GDPR monster before it gets its hold of your personal data
Exemptions
Note that your small business may be exempt from the RoPA requirement if ALL of the following are true:
- You have fewer than 250 employees
- Your data processing is not likely to cause risks to people’s rights and freedoms
- Your data processing is only occasional
- You do not process special categories of data
- You do not process personal data related to criminal convictions and offences
However, as mentioned previously, a basic record of processing activities will help you comply with other aspects of the GDPR. Therefore, consider creating one even if you are not required to.
Need help to fill out this template?
Completing a record of processing activities requires having a full overview of the personal data you handle. In practice, you need to know who the data belongs to, where it is stored, who has access to it, and how it is protected. To document all of this correctly, you must have insight into the sensitive and other personal data held across your systems.
At Safe Online, we offer a GDPR Risk Assessment that quickly identifies personal data across files, emails, and systems. The assessment gives you the clarity you need to complete your ROPA accurately — easily, securely, and without manual work.
Sebastian Allerelli
Founder & COO at Safe Online
Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.
