Records of Processing Activities (ROPA)

Records of Processing Activities (ROPA) are required by GDPR Article 30 for organizations with 250+ employees, or any organization whose processing is likely to result in risk to individuals, is not occasional, or includes special category data. Controllers must document: name and contact details, purposes of processing, categories of data subjects and personal data, categories of recipients, transfers to third countries, retention periods, and a description of security measures. Processors must document: name and contact details, categories of processing, transfers to third countries, and security measures. ROPA should be maintained in a living document and updated as processing activities change. It forms the foundation of a privacy compliance program.