Records of processing activities (ROPA) document all data processing and categories of data processing an organization engages in—they're also a requirement of GDPR Article 30.
Article 30 outlines certain ROPA guidelines:
- Data controllers are responsible for creating and maintaining ROPA, which must include:
- Name and contact information for the data controller
- Purpose of data processing
- Categories of personal data and data subjects being processed
- Categories of data recipients (if the data has been shared)
- Whether or not the data has or will be transferred to an “international organization” or “third country”
- Timeframe for data deletion
- Information on data security
- Data processors must maintain ROPA for any processing “carried out on behalf of a controller.”
- ROPA must be made available in writing and in a digital format
- ROPA must be provided upon request
ROPA creation is required for any business that employs 250 or more people, whose data processing is “not occasional,” or whose processing may threaten a data subject's rights or freedoms.
Read Transcend's guide to GDPR Article 30.