The Ethical Marketing Field Guide: Build trust, respect privacy, and drive growth in a cookieless world. Get your copy
ropa gdpr in matomo

What you need to know: ROPA GDPR explained

Contents

It’s a fact that Europe’s General Data Protection Regulation (GDPR) reshaped how people do [digital] business across the European Union (EU), the wider European Economic Area (EEA) and the United Kingdom (UK). Since Brexit, the UK has enforced its own version (the UK GDPR), which mirrors the EU’s framework but applies specifically to individuals in the UK. Even so, a nagging uncertainty persists for many businesses: Are we truly compliant? 

First, it’s important to understand who’s bound by the GDPR. According to the regulations, any business established in the EEA must comply, regardless of whose data it processes. The GDPR also applies to organisations located outside of the EEA if they target or monitor individuals within the EEA.

It’s easy these days to lose track of what data you collect and why. But ignorance is no defence. At the heart of demonstrating compliance and managing this complexity lies a crucial, yet often misunderstood, requirement: the Record of Processing Activities (ROPA).

This article explains what a ROPA is, who needs to keep one, common challenges and why it’s a strategic asset and foundational document for GDPR compliance and ethical data handling.

What is a ROPA (Record of Processing Activities)?

ROPA (Record of Processing Activities) is a GDPR-mandated inventory (under Article 30) detailing processing activities under an organisation’s responsibility. It includes information such as:

  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • Transfers to third countries
  • Retention periods
  • Security measures

Understanding ROPA roles and purpose

A ROPA is an internal, living document that demonstrates an organisation’s commitment to data protection. With proper attention and regular updates, it becomes a vital tool for accountability and data transparency with authorities and the public. 

There are two main parties responsible for its creation and maintenance:

  • Data controllers: These are organisations that determine the purposes and means of processing personal data. They bear the ultimate responsibility for ensuring compliance with data protection regulations.
  • Data processors: These are external organisations or entities that process personal data on behalf of a data controller, acting strictly on their instructions.

GDPR obligations of data controllers

Data controllers must maintain a record that includes specific information about the personal data their organisations handle. Unless there’s a valid reason not to, this record should detail:

  • Contact details: For the controller, any joint controllers, representatives, or Data Protection Officers (DPO).
  • Purposes of processing: The reasons for collecting and using the data.
  • Categories of data: The types of individuals whose data are processed and the categories of personal data collected.
  • Recipients of data: The types of organisations or individuals who receive the data, including those in other countries or international organisations.
  • International transfers: Details of any data transfers outside the EU, specifying the country and documented protections.
  • Retention periods: The envisaged time limits for data erasure.
  • Security measures: A general description of the technical and organisational security measures used to protect the data, as required by GDPR Article 32(1).

GDPR obligations of data processors

Data processors are also required to maintain a record of their processing activities. This record must include:

  • Contact details: For the processor and for each controller they work for, including any representatives or Data Protection Officers (DPO).
  • Processing activities: The types of processing operations carried out on behalf of each controller.
  • International transfers: Details of any data transfers to other countries or international organisations, and any protections in place for these transfers.
  • Security measures: A general description of the technical and organisational security measures used to protect the data.
data processors vs. data controllers in gdpr list of roles and examples

Why is ROPA important?

A well-maintained Record of Processing Activities is a strategic asset for any organisation handling personal data. Beyond its legal mandate under Article 30 of the GDPR, here are a few more reasons why its importance is hard to overstate:

  • It helps businesses understand their data: The record requires organisations to clearly document all personal data collected, the purpose of its collection, and its planned deletion and retention periods.
  • It demonstrates accountability: Maintaining detailed records and strong documentation standards demonstrates an organisation’s commitment to data protection and GDPR compliance.
  • It helps with risk management: Documenting data processing activities helps identify and resolve privacy risks, prevent breaches and ensure safer handling of personal data.
  • It makes audits easier: A well-maintained ROPA simplifies data protection authority audits by demonstrating compliance with regulations.
  • It builds trust: Responsible data handling and privacy practices help foster customer trust, brand loyalty, and a positive public image.

In short, a Record of Processing Activities helps businesses protect personal data, manage risks, and build trust with their customers. 

It also helps regulators assess compliance. GDPR’s emphasis on accountability through record-keeping set a global standard for privacy, not just EU compliance. 

Today, maintaining processing records is a baseline expectation in most modern privacy laws, even if the terminology differs. 

Who needs to keep a ROPA?

As mentioned before, the GDPR applies to any business in the EEA. It also applies to organisations outside the EEA that aim their services at or watch individuals within the EEA. 

There’s an exemption for firms with fewer than 250 employees. However, this exception only applies if their processing is: 

  • not regular;
  • unlikely to cause risk; and 
  • does not involve special types of data or information related to criminal convictions.

These exceptions also don’t apply if the data being processed falls into the special categories listed in Article 9 of the GDPR. These categories include, for example, data that shows:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership.

The GDPR also restricts the processing of genetic or biometric data if it is used to uniquely identify an individual. The same rule applies to health data or data about a person’s sex life or sexual orientation. Special category data requires a separate legal basis under Article 9(2) and enhanced safeguards.

In reality, most organisations process data regularly, so they usually need a ROPA. Even when exceptions apply, it’s generally considered best practice to keep one anyway.

How to create a ROPA

Creating and keeping a Record of Processing Activities is a structured process. Here are six steps that guide the process of documenting data processing operations:

  • Step 1: Identify your role (controller or processor):
    • → First, determine if your organisation is a data controller, a data processor, or both.
      • Controllers determine the nature and extent of data processing.
      • Processors execute the controller’s instructions.
    • → Your record needs different information based on your role, as per GDPR Article 30.
  • Step 2: Map all processing activities:
    • → List every activity where your organisation handles personal data.
    • → This includes how data is collected, stored, used, shared and deleted across all departments and systems.
  • Step 3: Document key ROPA elements (Article 30):
    • → For each activity, record the specific details required by GDPR Article 30.
    • → This covers:
      • • Processing purposes
      • • Types of data subjects and personal data
      • • Data recipients (including international transfers)
      • • Data retention periods
      • • Security measures.
    • → Be precise and thorough.
  • Step 4: Implement security measures:
    • → The ROPA requires a general description of your security measures.
    • → This means putting in place proper technical and organisational protections for personal data.
    • → Review and update these measures regularly to keep data secure.
  • Step 5: Review and update regularly:
    • → Data processing changes frequently, so you must review and update your ROPA regularly.
    • → Update this regularly, ideally after major changes or at least annually, to keep it current.
  • Step 6: Automate (where possible):
    • → Use privacy-first tools to help create and maintain your ROPA.
    • → Automation makes the process more efficient, reduces errors and keeps your ROPA current and visible.
    • → This is crucial for supervisory authority requests, which often require prompt responses.

Common challenges

Creating and maintaining a ROPA can present several challenges. Recognising them early can help prepare for and overcome them.

  • Unclear data flows: Many organisations struggle to map how personal data moves through their systems and departments. Data is collected in various ways, processed by different teams, and shared with third parties, making it hard to see the full picture.
  • Third-party risks: Sharing data with third parties and external processors requires verifying GDPR compliance, which can be complex. Documenting these transfers in the ROPA can also be challenging.
  • Retention policies: Deciding how long to keep different types of personal data can be challenging due to conflicting legal, regulatory, and business priorities.
  • Static documentation: A ROPA is a living document that requires regular updates due to frequent changes in data processing. Without these updates, the ROPA loses its value in terms of compliance and accountability.

Take a proactive approach to data protection 

Following privacy laws and strengthening data management practices helps mitigate the risks associated with data breaches and build trust with users.

Matomo can support your ROPA process by giving you clearer visibility into your analytics data processing activities. Matomo can make parts of your processing easier to document, like the analytics data you collect, how it’s processed, and where it’s stored.

To see how Matomo can support your compliance efforts, download Matomo On-Premise for free or start your 21-day free trial of Matomo Cloud today — no credit card required.

Recommended for you
Enjoyed this post?
Join the 160,000+ subscribers who receive the Matomo Newsletter straight to their inbox every month

Subscribe to our newsletter to receive regular information about Matomo. You can unsubscribe at any time from it. This service uses SendGrid. Learn more about it within our privacy Policy page.

Get started with Matomo

A powerful web analytics platform that gives you and your business 100% data ownership and user privacy protection.

Try Cloud for free
Download On-Premise

No credit card required.

Free forever.

Get started with Matomo

A powerful web analytics platform that gives you and your business 100% data ownership and user privacy protection.

Try Cloud for free

No credit card required.

Download On-Premise

Free forever.

Certified ISO 27001:2022

Certifié ISO 27001:2022

Vos données d’analytique sont protégées conformément à des standards de sécurité reconnus à l’international.

En savoir plus