Your Record of Processing Activities
A Record of Processing Activities (or ROPA or "Article 30 report") is required under Article 30 of Europe's General Data Protection Regulation (GDPR). Data controllers and data processors must maintain an overview of all data processing activities. Each processing activity should include information about the purpose of processing, the categories of personal data processed, the categories of data subjects, any data transfers to third countries or international organizations, information about how long the data is retained, and a description of security measures (more on that below!).
This can be hard because teams frequently add or change their data systems. Often, no single person has a consistent, accurate, or comprehensive understanding of the company's data systems, data categories, and purposes or processing. Producing a ROPA for regulators can become a significant resource drain, delaying reports and risking non-compliance.
With Transcend Data Mapping, you have a live-updated ROPA, which is kept in sync with changes to your company's tech stack, ensuring your Record of Processing Activities is always accurate and ready at any time to be exported. A live-updated ROPA is possible because Transcend Data Mapping sources information directly from base-truth: your data systems. By continuously monitoring your data systems, Transcend has a live, system-level representation of all data in your business. This system-level representation is displayed in your Data Inventory.
Note: If you know the UK ICO's ROPA template, where columns in green are field required per Article 30, and columnes in blue are optional fields for internal record-keeping purposes, this should feel familiar. Transcend's ROPA is built on this same template.
If you're a first-time user, Transcend will prompt you to run a 30–45 second scan on your website to identify data systems on your website. This is a great starting point—we'll automatically detect your analytics and advertising technologies and load them into your ROPA to get you started.
You can also uncover additional data silos by connecting plugins like Okta or Segment, which monitor for new data silos.
In the Admin Dashboard, under Data Mapping, click ROPA. From here, you will see all records of processing activities.
Your records will have the following fields:
- Data Category: a category describing what type of data you're collecting (e.g., credit card data would be Financial, and phone numbers would be Contact information).
- Purpose of Processing: a category describing why you collect this data (e.g., Contact information may be used for Marketing purposes).
We require that each record contains a 1-to-1 combination of Data Category and Purpose of Processing. If you have multiple Data Categories used for the same Purpose of Processing (or vice-versa), you should create separate records for these combinations.
The next ROPA fields are:
- Data Subjects: who this data relates to (e.g., customers, employees). Sometimes referred to as "categories of individuals".
- Recipients Categories: categories describing who you share this data with (e.g., Hosting providers, Email Marketing tools).
- Joint Controller: any party other than your company that can also use your data as if they are a data controller, and not just a data processor to your company.
- Third Countries / Organizations: where data is processed/sent. If you transfer this data outside the EU to a third country or international organization, you can list them in your ROPA. Note: ROPA uses GDPR terminology, and since GDPR is euro-centric, "third country" simply means any country that is not in the EU. International organizations (eg. multi-national corporations) should also be included here.
These fields are not required by Article 30, but can be useful for internal purposes:
- Underlying System Owners: actual master owner(s) of the data asset and is based on what is reflected in your Data Inventory page.
- Owner: person in your company responsible for filling out this row in the ROPA (e.g. a legal representative or master owner of the data set). To assign this record to an owner, you can select a Transcend user or enter an email address, which will invite them to Transcend.
- Notes: any additional information you would like to add. This field is not required in your ROPA, but it can be useful for internal purposes.
Finally, you can add new columns to your Data Inventory (which will auto-populate into your ROPA) with Custom Attributes under "Infrastructure". See how to create attributes here.
Each record of a processing activity is either a derived record or a manually created records.
In your ROPA, derived records are created from your data silos (such as SaaS tools and databases) and the datapoints within those data silos. Data silos and datapoints are displayed in the Data Inventory under the Data Silos and Datapoints tabs.
Transcend has pre-built mappings of the datapoints inside many SaaS tools. Each datapoint is mapped to a Data Category and Purpose of Processing. You'll likely see this data initially auto-populated in your ROPA. If necessary, you can override these labels in your Data Inventory.
You can edit each record's data retention type, retention period, and other relevant notes directly inline.
For derived records, the "Source" column displays the data silos that provide evidence for this processing activity.
Since Transcend derives your processing activities from the system-level base truth (your Data Inventory), derived records will have a lock icon on the Data Category and Purpose of Processing, and these fields cannot be edited directly. Instead, you should inspect these fields at the system level within your Data Inventory, and if necessary, you can override these labels.
For example, let's take the above processing activity and inspect the system-level information. In the Datapoints tab of the Data Inventory, you can filter by Data Category and Purpose of Processing. We can inspect all Financial datapoints used to provide a Basic Service or Feature.
All manually created records can be edited inline.
To manually create a record of a processing activity, click "Add Record". A dialog box will open, asking you to enter the information described in Step 2. Only Data Category and Purpose of Processing are required fields.
In order to add Joint Controllers or Third Countries / Organizations, you need to first register them in their respective tabs ("Joint Controllers" and "Third Countries / Organizations"). These fields are optional, so you can always create the record and add them later. This will be covered in the next step!
If you have records that require a Joint Controller or a Third Country/Organization, first make sure that they're registered in their respective tab.
For example, go to the Joint Controllers tab, click "Add Joint Controller", and fill out the required information.
You can now add that Joint Controller to records in your ROPA by editing them inline.
Depending on how your organization is set up, which teams can stand up new systems, or how often these systems and datapoints change, building and maintaining an accurate, up-to-date ROPA can be a challenge. Transcend includes intuitive collaboration tools so that you can leverage cross-functional teammates to update and own different sections of your ROPA.
Under "All Records", each data record has an Owner column. Use this dropdown to select a teammate who should be the primary system owner. Existing Transcend users will automatically appear in this dropdown menu. You can also type in an email to invite a new user to your Transcend account.
Your teammate will receive an automated email from Transcend, informing them that they are the owner of a specific data record(s) and prompting them to log in and make any appropriate edits.
Regulators or other external needs may require you to have your ROPA as a static deliverable. With Transcend, easily export your ROPA by selecting Export to CSV from the top right. This will download a CSV file with your entire ROPA, including:
- ROPA Item ID (Transcend identifier)
- Data Category
- Processing Purpose
- Data Subjects
- Owners (will populate owner email addresses)
- Underlying System Owners (will populate owner email addresses)
- Transcend Derived (True/False)
- Joint Controllers (if applicable)
- Third Countries/Orgs (if applicable)
- Retention Type (if applicable, otherwise is noted as Unspecified)
- Retention Period