GDPR RoPA Report
Written by Nikhil Kukade
Updated over a week ago

A RoPA Report or Record of Processing Activities Report supports business record-keeping efforts to promote accountability for complying with the GDPR and other privacy laws and regulations. When preparing the RoPA, you will answer two critical questions: What personal data does your organization hold, and where?

Details of RoPA Report

If you are a controller–if you decide on the purposes and means of processing–you must include those details in RoPA:

  • Name and Contact details of your organization, data processor, data controller’s representative, joint controller, and data protection officer (DPO), if applicable;

  • Purpose of the processing.

  • Description of categories of data subjects and categories of personal data.

  • Categories of recipients.

  • Third parties which receive the personal data if applicable and suitable safeguards utilized;

  • Retention schedule for each category of personal data if possible.

  • Description of technical and organizational security measures (TOMs).

If you are a processor–if you act on behalf of the controller and process personal data:

  • Name and contact details of your organization, controller on whose behalf you are acting, data protection officer or representative if applicable.

  • Categories of processing you conduct or carry out on behalf of each controller.

  • Name of third country or organization that you transfer personal data to if applicable and suitable safeguards utilized.

  • Description of technical and organizational security measures (TOMs).

Automating RoPA Report with Privado

If you navigate to the Reports section from the top nav bar, Privado pre-fills the RoPA report from the code scan including details of data categories, data processors, and data transfers. To get the rest of the details, Privado has a developer-friendly assessment that you can use.

To send a RoPA assessment, follow the steps below:

Navigate to the Repository for which you want to generate RoPA Report. Here click on the Send Assessment button

Add details of the Respondent(Developers of the repository), Due Date, Reminder frequency and Approver. Once you click Send, Privado will send an email & slack message to the respondent on your behalf to fill the RoPA assessment.

Additionally, Privado offers a workflow to help you track the RoPA status of repositories:

  • Pending: This is the starting RoPA status of all your repositories

  • In Progress: Changes to In Progress once you send a RoPA assessment

  • Privacy Review: Once RoPA assessment is completed, status changes to Privacy Review. Here the privacy team adds legal information like legal basis of processing to complete the RoPA Report

  • Completed: Once all details of RoPA report is added

Privado continuously syncs with the code to keep the RoPA reports up to date without any manual efforts & interventions by the privacy teams or developers.

Did this answer your question?