Records of Processing Activities (RoPA)


Under the GDPR, some businesses are required to maintain records of their processing activities, commonly referred to as RoPA.

Fundamentally, a RoPA is a quick guide to the essential details of a given data processing activity.

When Is a RoPA Required?

The RoPA requirements apply generally to all businesses to whom the GDPR applies. However there is a major exception.

Businesses are not required to maintain a RoPA if they have fewer than 250 employees AND all of the following are true:

  1. The processing is not likely to result in a risk to the rights and freedoms of data subjects;
  2. The processing is occasional; and
  3. The processing does not include special categories of data (i.e., sensitive data) or personal data related to criminal convictions

What is “occasional” processing? There is not a clear-cut answer, but the UK’s Information Commissioner’s Office has said that occasional processing is something that is “a one-off occurrence or something you do rarely.”

What Must Be Included?

Article 30 of the GDPR covers RoPA requirements, saying they must contain (at a minimum) the following:

  1. The name and contact details of the controller and, where applicable, the joint controller, the controller's representative, and the data protection officer; 
  2. The purposes of the processing; 
  3. A description of the categories of data subjects and of the categories of personal data;
  4. The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations; 
  5. Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and the documentation of suitable safeguards; 
  6. Where possible, the envisaged time limits for erasure of the different categories of data;
  7. Where possible, a general description of technical and organizational security measures.


See the UK Information Commissioner’s website for more information.