GDPR Article 30 states that data controllers and processors must create and maintain records of data processing activities (ROPA).
While most companies processing data from EU citizens must create ROPA, there are a few exceptions. ROPA are not required if a company’s data processing is:
- Only “occasional”
- Unrelated to a criminal offense
- Doesn’t threaten a data subject's freedoms or rights
- The company has less than 250 employees
These exceptions leave a fairly narrow group of organizations who are actually exempt. Most organizations that process personal data are doing so more than occasionally.
And, with no further explanation as to what “not occasional” means—in most cases it’s better to create the ROPA and ensure GDPR compliance.
Complete ROPA must include:
- Name and contact details for the data controller
- Documentation on why the data is being processed
- Categories of personal data and data subjects
- Categories of any recipients of the data
- A list of personal data transfers to third countries or international entities
- A time frame for data erasure
- Details on how the data is being secured
Learn more about ROPA and the practical application of Article 30.