Acronym : ROPA
The record of processing activities lists, for each activity involving personal data, its purpose, the data concerned, recipients, retention period and associated security measures.
It is the foundational document required by GDPR: without it, an organization can neither demonstrate compliance nor easily identify its highest-risk processing activities.
A company updates its record of processing activities every time a new project involves customer or employee data.
Assess your organization's maturity on this topic
Start the diagnostic