Skip to main content

What is a record of processing activities (RoPA)?

The General Data Protection Regulation (GDPR) requires organisations to maintain a record of their processing activities. Put simply, a Record of Processing Activities (or RoPA) is a structured and detailed document that describes your data processing activities. Its purpose is to show how you process and protect personal data.  Therefore, it is an important tool for GDPR compliance.

First, download a free RoPA template below. Then, keep reading to see how you can use the template to create a record of processing activities for your company.

Download your free RoPA template

The purpose of a record of processing activities

The purpose of creating a record of processing activities or RoPA is to provide transparency and accountability for your data processing practices. Additionally, it can help you comply with other aspects of the GDPR. For example, when responding to data subject rights requests and conducting data protection impact assessments (DPIAs). What’s more, a RoPA can reduce your liability and help you respond properly in case of a data breach.

Want to know more about protecting sensitive data?

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

What exactly does Article 30 of the GDPR say?

Article 30 of the General Data Protection Regulation (GDPR) sets out the requirements for maintaining a record of your data processing activities. The record should include the following information:

  1. Company name and contact details
  2. DPO contact details (if you have one)
  3. Your purposes for processing personal data
  4. The categories of data subjects and the categories of personal data collected
  5. Categories of recipients to whom the personal data has been or will be disclosed
  6. Any transfers of personal data to a third country or international organisation with documentation of suitable safeguards
  7. The envisaged time limits for erasure for different categories of data
  8. A general description of technical and organisational security measures in place

This record of processing activities must be in writing, and be available in electronic form. Moreover, you must be ready to provide it to the supervisory authority upon request.

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.


Note that your small business may be exempt from the RoPA requirement if ALL of the following are true:

  • You have fewer than 250 employees
  • Your data processing is not likely to cause risks to people’s rights and freedoms
  • Your data processing is only occasional
  • You do not process special categories of data
  • You do not process personal data related to criminal convictions and offences

However, as mentioned previously, a basic record of processing activities will help you comply with other aspects of the GDPR. Therefore, consider creating one even if you are not required to.

Record of processing activities (RoPA)

Need help to fill out this template?

Filling out your RoPA template correctly requires you to have a good understanding of the data you process. Specifically, you should know who it belongs to, where you store it, who has access to it, and how you protect it. To keep track of all these things, you need to know what sensitive data you have lying around. With our Data Discovery tool DataMapper you can find it easily and quickly.

Sebastian Allerelli

Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →


How to handle sensitive personal data


How to find personal data with datamapping tool


How to prepare for a data audit