02.19 – Records of Processing Activities

To increase accountability for businesses, GDPR Article 30 introduced new rules regarding how a company maintains records of processing activities (RoPAs)

An organization’s record of processing activities (RoPA) refers to a requirement laid out in the EU/UK Data Protection Regulation (GDPR), which states, in part, that a controller must “maintain a record of processing activities under its responsibility,” including “all categories of processing activities.” A valid RoPA will be the product of efficient record keeping procedures and accountability within an organization, and the continued review and maintenance of these procedures will promote compliance with GDPR standards.

All businesses with over 250 employees must keep a record of processing activities. Businesses are still required to maintain a RoPA if:

  • Processing is likely to result in a risk to the rights and freedoms of data subjects.
  • Processing of data is frequent.
  • Processing of special categories of personal data, including race, gender, sexuality, religion, and others; or personal data relating to criminal convictions and offenses.

Article 30 of the GDPR requires written records, including those written in electronic form. Electronic records are ideal because they allow businesses to easily add, remove, or amend information. <<organisation name chooses to maintain their RoPAs in electronic form using Microsoft Excel.