GDPR Art. 30 requires controllers to maintain written records of processing activities (ROPA) covering processing purposes, data categories, recipients, retention periods, and security measures. Though organizations under 250 employees are generally exempt unless processing is systematic, non-occasional, or involves special category data, the practical effect is that most SaaS products should maintain a ROPA — and those that cannot demonstrate the exemption on request are treated as non-exempt. In a breach or regulatory investigation, the ROPA is the first document a DPA requests. Absence of any data register also makes it impossible to correctly scope DSARs, breach notifications, or deletion requests.
Info because ROPA is a documentation obligation rather than a direct data protection control — the immediate harm is regulatory and reputational rather than a risk to user data.
Create a ROPA in docs/ROPA.md or as a spreadsheet linked from the README. Cover every processing activity with all Art. 30(1) required fields.
# Records of Processing Activities — Art. 30 GDPR
Controller: Example Corp | privacy@example.com | Last updated: 2026-02-22
| Processing Activity | Purpose | Data Categories | Recipients | Retention | Legal Basis |
|-----------------------|----------------------|--------------------------|----------------|---------------|-----------------|
| User account mgmt | Service delivery | Email, name, hash(pwd) | Clerk (auth) | Until deletion| Contract |
| Transactional email | Notifications | Email, name | Resend | 90 days | Contract |
| Usage analytics | Product improvement | Pseudonymous ID, events | Internal only | 26 months | Legitimate int. |
| Payment processing | Order fulfillment | Billing address | Stripe | 7 years* | Contract/Legal |
| Error monitoring | Service reliability | Error context, user ID | Sentry | 90 days | Legitimate int. |
*Financial records retained 7 years under legal obligation (Art. 6(1)(c)).
Update the ROPA within 30 days of adding or changing any processing activity. Reference it from your DPA registry and breach notification procedure.
ID: gdpr-readiness.breach-accountability.records-of-processing
Severity: info
What to look for: GDPR Article 30 requires controllers to maintain records of processing activities (ROPA). The ROPA must include: the controller's name and contact details, the purposes of processing, categories of data subjects and personal data, recipients of personal data, transfers to third countries, time limits for deletion, and a description of technical and organizational security measures. Look for a ROPA document in docs/, DATA_PROCESSING.md, or a spreadsheet referenced in the README. Note: organizations with fewer than 250 employees are generally exempt unless processing is not occasional, involves special category data, or could result in risk — but maintaining a ROPA is still best practice. Count all instances found and enumerate each.
Pass criteria: A ROPA document or equivalent data register exists covering the required elements: processing purposes, data categories, data subject categories, recipients, retention periods, and a reference to security measures. It is reasonably complete and current. At least 1 implementation must be confirmed.
Fail criteria: No ROPA or equivalent document exists. A template exists but was never completed. The document is significantly out of date.
Skip (N/A) when: Organization has fewer than 250 employees, processing is not systematic or regular, does not involve special category data, and is not likely to result in high risk to individuals. Document this exemption assessment explicitly.
Detail on fail: Example: "No Records of Processing Activities found. No data register or equivalent documentation covering processing purposes, data categories, and retention periods.".
Remediation: Create a minimal ROPA in a spreadsheet or document:
# Records of Processing Activities (Art. 30 ROPA)
Controller: Example Corp, privacy@example.com
Last updated: 2026-02-22
| Processing Activity | Purpose | Data Categories | Recipients | Retention | Legal Basis |
|-------------------------|---------------------|-------------------------|------------------|--------------|-------------------|
| User account management | Service delivery | Email, name, hash(pwd) | Clerk (auth) | Until del | Contract |
| Transactional email | Notifications | Email, name | SendGrid | 90 days | Contract |
| Usage analytics | Product improvement | Pseudonymous ID, events | None (internal) | 26 months | Legitimate int. |
| Payment processing | Order fulfillment | Billing address | Stripe | 7 years* | Contract / Legal |
| Error monitoring | Service reliability | Error context, user ID | Sentry | 90 days | Legitimate int. |
* Financial records retained 7 years under legal obligation (tax/accounting).
Security measures: encryption at rest (AES-256), TLS in transit, MFA for admin
access, least-privilege IAM policies, quarterly security reviews.