The record of processing activities — the RoPA, under GDPR Article 30 — is your map of what personal data you hold, why, and where it goes. Most organisations of any size must keep one, and it is often the first document a regulator requests. It is also the document most likely to be quietly wrong.
A RoPA is not hard to create. It is hard to keep true. Systems change, vendors change, purposes drift — and a stale record is worse than none, because it misrepresents reality.
What a RoPA is
It is an inventory of your processing activities, maintained by you as controller (and, in a lighter form, as processor). It demonstrates accountability: that you know your own data flows well enough to govern them.
What it must contain
- The purposes of processing and the controller’s details.
- Categories of data subjects and of personal data.
- Recipients, including any transfers to third countries.
- Retention periods and a general description of security measures.
Why RoPAs go stale
They are usually built once, in a spreadsheet, by interviewing teams — then never revisited until an incident or audit forces it. By then a year of system and vendor changes has gone unrecorded.
Owning the RoPA in a single spreadsheet that one person updates annually. The moment that breaks — and it always does — the record diverges from reality.
Keep it living
Tie RoPA updates to the events that change processing: onboarding a vendor, launching a feature, adding a data source. Treat each as a trigger to update the relevant entry, rather than batching a year of changes into one painful review.
Put it to work
A current RoPA pays for itself: it powers DPIAs, speeds data-subject requests, and answers regulator questions immediately. Keep it linked to your DPIAs and broader evidence so the whole data-protection story is consistent.
Key takeaways
- The Article 30 RoPA maps what data you hold, why, and where it flows.
- It must cover purposes, data categories, recipients, transfers, retention and security.
- RoPAs go stale when owned as an annual spreadsheet exercise.
- Update on change events, and link it to DPIAs and evidence.
Want a RoPA that tracks your systems? Book a 30-minute demo.
This article is general guidance, not legal advice. Verify obligations and deadlines for your organisation with qualified counsel.