News & Blog

RoPA compliance – know the requirements and how to meet them

Can your organization provide an updated Record of Processing Activities (RoPA) to a data protection authority?  Under EU General Data Protection Regulation

Can your organization provide an updated Record of Processing Activities (RoPA) to a data protection authority?  Under EU General Data Protection Regulation (GDPR) Article 30 you need to.

DiscoveryControl RoPA module reduces the resources required by an organization to keep its Article 30 records current. It achieves this by automating the discovery of your:

  • data collection
  • data usage
  • data sharing

Data processors must maintain records on behalf of all data processed for the controller

RoPA requirements

  • Organization’s name and contact detail
  • Whether it is a controller or a processor
  • Where applicable, the joint controller, their representative, and the DPO).
  • The purposes of the processing. A description of the categories of individuals and of personal data.
  • The categories of recipients of personal data.
  • Details of transfers to third countries, including a record of the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of the technical and organizational security measures in place.

Data processors must maintain records on behalf of all data processed for the controller.


Article 30 of The GDPR (incl. UK) requires organizations to keep written records of processing activities.

A valid RoPA will be the product of efficient record-keeping procedures and accountability within an organization, and the continued review and maintenance of these procedures will promote compliance with GDPR standards.


  • Under the GDPR it is a legal requirement to document your processing activities.
  • Understanding what information you have, where it is
  • what you do with it makes it much easier to improve your information governance and comply with Data Protection Law.
  • In the RoPA you must list every single processing. The RoPA describes the exact usage of the data, and the technical and organizational measures you have in place for the protection of the data. 
  • RoPA shows who is affected by processing, and the recipient of a processing. All possible data processors are listed there.
  • Fundamental risk analysis must be included in a RoPA.



  • Our RoPA Module provides a fully managed auditable solution with controlled access.
  • Record processing activities in electronic form, add, remove, and amend information easily.


Ensure company-wide creation and review of records is managed by the DPO/RoPA Manager.


  • departments scan access to pre-selected records for review and update
  • then reassign back to the DPO for checking
  • create new records which are set at a status of “Submitted” for the DPO to check


Provide a framework for pre-validated selections or responses ensuring regulatory guidelines are followed. The RoPA records are consistent and legal.


RoPA records are stored in a secure and accessible location available for inspection in the event of an audit.


The manual creation of RoPA under GDPR compliance requirements or using tools like Excel may be very difficult and time-consuming. The DiscoveryControl RoPA module is a powerful online tool . You do not need any previous knowledge minimizes the effort required.  Functionality is already included. Advanced customization is available to generate RoPA lists for your specific business needs.


Audit of all available personal data

  • Customized workflow forms.
  • Customized dashboards.

Identification of the role – whether you are a controller or a processor.

  • We work with you to ensure that the dropdowns on the customized forms contain valid information for your activities.
  • Customized forms for the Controller and the Processor based on their requirements.

Categorization of data

  • The RoPA module in ComplyKEY breaks down your data on data subjects into categories. Full audit on all recordings, views, and changes.
  • Central and powerful content search built-in to find and present data quickly and securely.

Constant Updating

  • Starting a new processing activity or changing the purpose of a current one? The register is updated in seconds.
  • Multiple user logins enable company-wide creation and review of records, centrally managed by the DPO or RoPA Manager. Check that records are still valid, and up-to-date, or if the data is still being processed.
  • The RoPA manager can assign a record to a department or individual for review. Each department can create new RoPA records. These are set at a status of “Submitted” for the RoPA manager to check.


  • Creation reports with the inbuilt report writer. For example, records overdue and record summary.


  • Built-in access controls, audit, and encryption.
  • All records stored and encrypted securely, readily available for inspection in the event of an audit.
  • Schedule a call with one of our data privacy experts
Pop up announcing the rebrand of Waterford Technologies to ComplyKEY. The call to action is to direct visitors to the new website

[zcwp id = 1]