GDPR

Record of Processing Activities

Acronym : ROPA

The record of processing activities lists, for each activity involving personal data, its purpose, the data concerned, recipients, retention period and associated security measures.

Why it matters

It is the foundational document required by GDPR: without it, an organization can neither demonstrate compliance nor easily identify its highest-risk processing activities.

Concrete example

A company updates its record of processing activities every time a new project involves customer or employee data.

Related notions

Data mappingProcessing purposeRetention period

Assess your organization's maturity on this topic

Start the diagnostic
Back to glossary