GRC Answer
What is a Record of Processing Activities (ROPA)?
A Record of Processing Activities (ROPA) is the internal register required by GDPR Article 30 that documents how your organisation processes personal data — purpose, data categories, recipients, transfers outside the EU or EEA, retention periods, and security measures. Controllers and processors must keep one in writing and produce it to a supervisory authority on request. It is the source of truth that a DPIA, a DSAR, a breach assessment, and a transfer assessment all read from. Acuna's data privacy management treats each processing activity as a living record tied to your asset and vendor inventory, so the people closest to the data keep the register honest.
Related questions