What a Good ROPA Looks Like (and Common Mistakes)

What a Good ROPA Looks Like

A Record of Processing Activities (ROPA) should be a living inventory of how your organisation uses personal data — not a one-off spreadsheet. Done well, it becomes the single source of truth for privacy impact, supplier risk and retention decisions, and makes audits far simpler.

Processing inventory Lawful basis & purpose Data lifecycle DPIA triggers Evidence & reviews

What is a ROPA?

Your ROPA documents each processing activity: the purpose, lawful basis (where required), data subjects, categories of personal data, systems & vendors, transfers, retention and security measures. It underpins privacy decisions, enables DPIA triage, and provides auditors with evidence that you know where personal data lives and why.

Single source of truth

Connects departments, systems and vendors into one view of processing.

Drives risk decisions

Flags high-risk processing for DPIAs and stronger controls.

Speeds audits

Provides clear evidence paths and owners for each entry.

Why a good ROPA matters

Business accountability

Demonstrates control of personal data flows for customers, partners and regulators.

Operational clarity

Helps teams understand purpose, retention and deletion responsibilities.

Compliance leverage

Feeds ISO 27701 controls, GDPR accountability, and supports APP compliance.

ROPA fields that work

Processing name & owner

Clear title and accountable person or team.

Purpose & lawful basis

Business reason; lawful basis where applicable.

Data subjects & data types

e.g., customers, staff; contact, health or usage data.

Systems & vendors

Applications, data stores, SaaS, and sub-processors.

Locations & transfers

Countries/regions, cross-border safeguards.

Retention & deletion

How long data is kept and how it’s safely removed.

Security measures

Encryption, access controls, monitoring and logging.

DPIA flag & risk tier

Trigger criteria and outcome for assessments.

Review cadence

Quarterly/annual; last reviewed & next due.

Common mistakes (and how to avoid them)

Copy-paste content: Describing the vendor’s product, not your processing. → Write how you collect, store, share and delete data.
No owners or reviews: Entries go stale. → Set owners and review cadence; track in SharePoint.
Vague retention: “Kept as needed.” → Use real timeframes or event-based rules and link to policy.
Hidden in files: Word/Excel on desktops. → Centralise in a SharePoint list with versioning.

Practical examples

HR onboarding

Purpose: employment. Systems: HRIS, payroll. Retention: 7 years post-termination. Risk: medium; no DPIA.

Marketing emails

Purpose: direct marketing. Basis: consent. Vendor: ESP. Retention: 24 months of inactivity. Risk: low; unsubscribe path enforced.

Patient support

Purpose: service delivery. Data: contact + health notes. Retention: per health record regs. Risk: high; DPIA completed.

ROPA FAQs

Who owns the ROPA?

Privacy/compliance leads it; each entry has a business owner responsible for accuracy.

How often should we review?

At least annually — plus when new systems/vendors are added or processing changes.

Can we link to other registers?

Yes — vendor risk, data breach, and retention schedules should cross-reference the ROPA.