Overview

Article 30 of GDPR requires controllers and processors to maintain Records of Processing Activities (RoPA). The RoPA is foundational to GDPR compliance - you cannot comply with transparency, data subject rights, or security requirements without understanding what personal data you process.

Article 30 Requirements

Controller Records Must Include:

  • Name and contact details of controller (and DPO if applicable)
  • Purposes of the processing
  • Categories of data subjects
  • Categories of personal data
  • Categories of recipients
  • Transfers to third countries and safeguards
  • Envisaged retention periods
  • General description of security measures

Processor Records Must Include:

  • Name and contact details of processor and controller
  • Categories of processing carried out
  • Transfers to third countries and safeguards
  • General description of security measures

Data Mapping Process

Step 1: Identify Processing Activities

Start by identifying all processing activities by:

  • Business function (HR, Marketing, Sales, Finance)
  • System or application
  • Data type

Step 2: Gather Information

For each processing activity, document:

  • What personal data is collected?
  • Who are the data subjects?
  • Why is it processed (purpose)?
  • What is the legal basis?
  • Where does the data flow (internal, external, international)?
  • How long is it retained?
  • How is it protected?

Step 3: Create Data Flow Diagrams

Visual maps showing:

  • Data collection points
  • Processing locations
  • Storage locations
  • Sharing with third parties
  • International transfers

Building Your RoPA

RoPA Structure

FieldExample Content
Processing Activity NameEmployee Payroll Processing
Controller DetailsAcme Ltd, DPO: [email protected]
PurposePayment of salaries and statutory reporting
Legal BasisContract (employment), Legal obligation (tax)
Data SubjectsEmployees
Data CategoriesName, address, bank details, salary, tax code
RecipientsPayroll provider, HMRC, pension provider
International TransfersNone / Yes - to [country] via SCCs
Retention Period7 years after employment ends
Security MeasuresEncryption, access controls, audit logging

Maintaining RoPA

Triggers for Update

  • New processing activity introduced
  • Change to existing processing
  • New system implemented
  • New third-party relationship
  • Change in retention periods
  • Organizational changes

Review Cadence

  • Quarterly: Confirm no undocumented changes
  • Annually: Full review and update
  • Ad-hoc: When triggered by changes

Evidence for Auditors

Auditors and regulators expect:

  • Complete RoPA covering all processing
  • Evidence of regular review
  • Version control and change history
  • Ownership assigned
  • Alignment with privacy notices
  • Alignment with DPAs
Pro Tip

RoPA is not a one-time project. Embed RoPA updates into your change management, procurement, and project processes to keep it current without periodic catch-up exercises.

GDPR RoPA Data Mapping