RoPA
Record of Processing Activities — a mandatory inventory of all personal data processing activities under GDPR Article 30.
Full Definition
A Record of Processing Activities (RoPA) is a written inventory that documents all personal data processing activities within an organisation. GDPR Article 30 requires both controllers and processors to maintain a RoPA (with a limited exception for organisations with fewer than 250 employees, unless processing is high risk). A controller RoPA must include: the name and contact details of the controller, purposes of processing, description of data subject categories and data categories, recipient categories, international transfer information, and, where possible, envisaged retention periods and security measures. The RoPA is the foundation of an organisation's data governance program and is routinely requested by data protection authorities during investigations.
Related terms
Data Controller
An entity that determines the purposes and means of processing personal data.
Data Processor
An entity that processes personal data on behalf of and under the instructions of a Data Controller.
DPIA
Data Protection Impact Assessment — a systematic process to identify and minimise privacy risks in new processing activities.
Relevant regulations
Automate your privacy program
TruePrivacy handles DSRs, consent management, data mapping, and breach response — all in one platform.