Record of Processing Activities (RoPA)

Your central data inventory. Map what personal data you collect, why, who you share it with, and how long you keep it.

record of processing activities template preview (PRI-001)
.xlsx PRI-001

Map your data flows for GDPR & privacy compliance.

Automated dashboard, processing activity register, vendor mapping, international transfer tracking, and risk highlighting — all pre-formatted.

Get Privacy Governance Toolkit
How to Fill Out the RoPA

Record of processing activities template — This document is your central data inventory. It maps what personal data you collect, why you collect it, who you share it with, and how long you keep it.

Follow this step-by-step guide to complete your compliance mapping.

Before You Start

Understanding Visual Cues

Gray Text = Examples

These cells contain sample data. Overwrite them with your actual company information. The gray background will disappear when you type.

White Rows = New Data

Start typing in the first white row below the examples to add new activities.

Yellow Highlight = High Risk

This appears automatically. If you select “Sensitive Data” (e.g., Health, Biometric) or mark an activity as requiring a DPIA, the row turns yellow. This flags items that require extra security attention.

Dropdowns (▼)

Click cells with a small arrow to select standard legal terms. Do not type manually into these cells if a dropdown exists.

Tab 1

Dashboard (Read-Only)

  • Purpose: Provides a real-time health check of your privacy program.
  • Action: No action needed. The numbers update automatically as you fill out the other tabs.
  • Key Metric: Monitor “High Risk Activities.” If this number is high, review the Yellow-highlighted rows in Tab 3.

Tab 2

Instructions (Metadata)

Purpose: Document control and versioning.

Action: Update the following editable fields:

  • Version: Start at 1.0. Increment to 1.1 whenever you make significant changes.
  • Owner: Assign a specific person (“CTO,” “Privacy Officer”).
  • Last Updated: Change this date whenever you review the document.

Tab 3

Processing Activities (The Core Work)

Fill out one row per distinct business activity. Do not list every database table; group by purpose.

Step 1: Define the Activity (Cols A–E)

Activity ID: Create a unique code (e.g., PA-001, PA-002).
Activity Name: Short, clear name (“Customer Onboarding,” “Employee Payroll”).
Role: Controller: You decide why and how data is used (most startups for their own user data). Processor: You process data on behalf of a client (a SaaS platform hosting client data).
Business Function: Select the department (Sales, HR, Marketing, Product).
Description: Briefly explain the process. Example: “We collect email and name to create user accounts and provide service access.”

Step 2: Map the Data (Cols F–K)

Data Subjects: Who does the data belong to? (Customers, Employees, Prospects).
EU Data Subjects? Select Yes if any of these people are located in the EU/UK.
Children’s Data? Select Yes only if you knowingly collect data from under-16s.
Data Types: List specific fields. Example: “Name, Email, IP Address, Payment Token.”
Sensitive Data: CRITICAL. Select “None” unless you process Health, Biometric, Religious, Political, Union, Criminal, Genetic, or Sexual Orientation data. Selecting anything other than “None” turns the row Yellow.
Source: Where did the data come from? (“Direct from User,” “Cookies,” “Third-party API”).

Step 3: Legal & Purpose (Cols L–O)

Purpose: Why are you processing this? (“Service Delivery,” “Marketing,” “Fraud Prevention”).
Legal Basis (GDPR): Contract: Necessary to provide the service (e.g., login credentials). Consent: User explicitly opted in (e.g., marketing newsletters). Legitimate Interest: Balanced interest (e.g., security logs, fraud detection). Legal Obligation: Required by law (e.g., tax records).
Legal Basis Notes: Justify your choice. Example: “Required to authenticate user identity.”
LIA Completed? If you selected “Legitimate Interest,” have you done a Legitimate Interest Assessment? Select Yes/No.

Step 4: Operations & Retention (Cols P–X)

Frequency: How often is data processed? (Continuous, Daily, Monthly).
Recipients: Who sees the data? List internal teams or external vendors.
Specific Vendors (IDs): Link to Tab 4. Enter the Vendor ID (e.g., VND-001) from the Subprocessors tab. This connects your data flow to your vendor list.
Systems Involved: What software stores this data? (Salesforce, AWS, HubSpot).
Intl Transfer? Does data leave the EU/UK? (e.g., stored on US servers). Select Yes/No.
Transfer Mechanism: If Yes, how is it legal? (“SCCs (2021),” “EU-US Data Privacy Framework”).
Retention Period: How long do you keep it? Example: “Active Contract + 3 Years.” Do not use “Indefinite.”
Retention Justification: Why keep it this long? (“Statutory Requirement,” “Contractual Necessity”).
Deletion Method: How is it destroyed? (“Automated Policy,” “Manual Deletion”).

Step 5: Risk & Governance (Cols Y–AG)

Auto. Decision Making? Do algorithms make legal/significant decisions without human input? (e.g., automated loan denial).
Security Measures: List controls. Example: “Encryption at rest, MFA, RBAC.”
DPIA Required? If you selected Sensitive Data or High-Risk Monitoring, select Yes.
Internal Owner: Who is responsible? (CTO, HR Director).
Linked Policies: Which internal policy governs this? (“PRI-003 Privacy Notice”).
Status: Active, Deprecated, or Planned.
Dates: Set “Last Reviewed” to today. Set “Next Review” to 1 year from now.

Tab 4

Subprocessors & Vendors

List every third-party service that touches personal data.

Vendor ID: Create a unique ID (VND-001). Use this ID in Tab 3.
Vendor Name: “AWS,” “Stripe,” “Slack.”
Service Provided: “Cloud Hosting,” “Payment Processing.”
Data Processed: What data do they see? “Customer PII,” “Payment Tokens.”
Location: Where are their servers? “US,” “EU,” “Global.”
GDPR Compliant? Do they sign a DPA? Select Yes/No.
DPA Signed? Have you actually signed the Data Processing Agreement?
Risk Tier: Assess criticality. High: Core infrastructure (AWS, Azure) or sensitive data processors (Payroll). Medium: Marketing tools, analytics. Low: Non-data tools (project management without PII).

Tab 5

International Data Transfers

Only fill this if you selected “Yes” for Intl Transfer in Tab 3.

Transfer ID: Unique code (DT-001).
Description: “Customer Data hosted on AWS US-East.”
Exporter: Your Entity (“lintGRC Ltd (UK)”).
Importer: The Vendor (“AWS Inc. (US)”).
Mechanism: The legal tool used (“SCCs (2021)”).
Risk Level: Low/Medium/High based on country laws.
SCCs Signed? Confirm Standard Contractual Clauses are in place.

Checklist

Final Checklist Before Saving

  • Did you remove all Gray Example Text that doesn’t apply to you?
  • Are all Yellow Highlights justified (do you have a DPIA or extra security for them)?
  • Did you link every vendor in Tab 3 to a valid ID in Tab 4?
  • Is your Retention Period specific (not “Indefinite”)?
  • Did you update the Version and Last Updated date in Tab 2?
  • Did you save the file as PRI-001_RoPA_[YourCompany]_v1.xlsx?

Recommended next steps

After completing your RoPA:

  1. 1Validate Accuracy: Cross-check Tab 3 with engineering and product teams.
  2. 2Execute DPAs: Ensure all High/Medium vendors in Tab 4 have signed Data Processing Agreements.
  3. 3Implement DPIAs: Conduct Data Protection Impact Assessments for all Yellow-highlighted activities.
  4. 4Schedule Review: Set a calendar reminder to update the RoPA quarterly or after major feature launches.

A complete and accurate RoPA is foundational for GDPR, CCPA, and SOC 2 privacy compliance.

Get Privacy Governance Toolkit See what’s included