GDPR Article 30: ROPA requirements

GDPR Article 30 requires that companies under the General Data Protection Regulation (GDPR) create and maintain a record of processing activity (ROPA). 

Intended to promote transparency and accountability among organizations that collect, process, and store personal data, completing the ROPA process helps organizations:

• Track the personal data they’re collecting

• Identify risky data processing activities, and

• Provide adequate protection for the personal data they hold

Though companies aren’t required to proactively submit a ROPA, to be GDPR compliant—one must be made available upon request. 

Article 30 is part of the General Data Protection Regulation (GDPR), a comprehensive data protection law designed to put guardrails on the way businesses in the EU use consumer data.  

To be Article 30 compliant, organizations must keep a detailed record of the personal data they collect, store, and process. This document is called a record of processing activity, or ROPA.

Article 30 also requires that organizations ensure that any third-party processors they work with are processing data in accordance with the GDPR. 

Creating and maintaining a comprehensive ROPA is key to compliance with GDPR Article 30. 

A complete ROPA will outline what personal data a company is collecting, why it's being collected, who has access to that data, where the data is being transferred, and how it’s being used.

Final ROPA document should be quite detailed, including information like: 

• Name and contact details for the data controller

• Documentation on why the data is being processed

• Purpose of processing i.e. why the data is being processed

• Categories of personal data and data subjects

• Categories of any recipients of the data

• A list of personal data transfers to third countries or international entities

• Details about any third parties who have access to the data

• A time frame for data erasure

• Details on how the data is being secured

• Contact information for the Data Protection Officer (DPO) 

GDPR Article 30 applies to companies, organizations, and other entities that process the personal data of any individual who falls under the protection of the GDPR. 

Most companies processing data from EU citizens must create and maintain a ROPA, though there are a few exceptions. Companies don’t have to complete a ROPA if their data processing activities are:

• Only “occasional”

• Unrelated to a criminal offense, or 

• Have no negative effect on an individual's freedoms or rights

Another potential exemption is when data is being processed for a single purpose and the same purpose is not likely to remain current after a set period of time. Or, if the data is processed for national security purposes or for scientific/historical research.

Finally, companies with less than 250 employees do not have to create ROPA.

All of this said, the language of Article 30 is such that very few organizations actually end up exempt, so all potential exceptions should be evaluated on a case-by-case basis. 

Most organizations that process personal data do so more than occasionally. And, since Article 30 doesn't offer further details about what “not occasional” means in practice, it’s a safer bet to go ahead and complete the ROPA process. 

Data mapping is critical for any company looking to simplify the ROPA process and ensure Article 30 compliance. 

Using an automated data mapping platform, companies can better identify personal data across a sprawling data ecosystem, map how it flows throughout that system, and flag any processing that might fall into the “risky” category.

Knowing these details also helps organizations respond quickly and accurately to consumer requests for access, correction, or deletion of their data.  

Creating ROPA with a data mapping tool is the most efficient approach available. However, not all companies have this technology in place. If that’s the situation you find yourself in, you’ll need to take a manual approach, following the steps below. 

1. Create a brief for leadership on the importance of GDPR compliance and the steps needed to produce a ROPA report. 

2. Schedule meetings with team leaders throughout your company to start documenting data processing across the organization.

3. During or after initial meetings with each team lead, an assessment should be sent out requesting specifics about their data systems and processing activities.

4. Compile all your findings into a document that’s accessible both digitally and in writing. 

5. Develop and maintain a process for continually updating your records.

We recommend trying these steps on just one department first, in order to iron out any potential operational issues. 

Also keep in mind that Step 5 is one of the most important parts of the process, as it addresses the 'up-to-date' portion of Article 30's requirements. ROPA documentation is not a snapshot-in-time, it must be current and complete to be compliant.

You need a process for continually updating your records because it's likely that your company is adding new data systems on a fairly regularly basis. In fact, according Transcend’s 2022 Data Visibility Report:

57% of tech leaders say new systems containing user data are added weekly, and in some cases, daily with their companies. 

Given the sheer quantity of data systems in play and the speed at which new systems are added, implementing a process that regularly captures these changes is critical to creating a ROPA that’s actually up-to-date.

Generating a complete view of customer data across your entire data ecosystem can be a complex, time-consuming process. That’s why ROPA creation and Article 30 compliance can benefit so significantly from automated data mapping software. 

Offering comprehensive visibility, freed up resources, and ultimately, simplified compliance, automated data mapping offers significant upsides for companies who regularly handle large amounts of personal data.

Automated data mapping tools offer a live view of an organization's data, enabling enhanced visibility into any personal data processing. 

Whenever a service or third party vendor is modified or added, the software detects these changes and updates the map with no manual input necessary—ensuring your records are comprehensive and up-to-date.

While GDPR doesn't require organizations to proactively submit ROPA documents, they must be made available upon request. If an organization fails to produce an up-to-date ROPA, they could face significant liability. 

However, with data mapping software, ROPA documents are kept current and can be exported easily—minimizing regulatory risk and facilitating Article 30 compliance.

Automated data mapping software provides a way to track:

• New data systems

• The types of personal data those systems contain

• Owners and completion status of each data record

• Database changes that could affect data transfer

By reducing manual effort, data mapping software limits errors and allows teams to focus their efforts on more productive tasks.

GDPR Article 30 requires companies to document the personal data they process and maintain a record of processing activity (ROPA).

This record must include, among other things, the purpose of processing, categories of data being processed, contact information for their Data Protection Officer (DPO), and any third parties with access to that data. 

By following these guidelines, organizations can ensure they are providing adequate protection of personal data while still providing tailored services that benefit their customers.

Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.

Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.

Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.