GDPR-010 critical Privacy Documentation

Data processing records maintained

GDPR Article 30 requires Record of Processing Activities (ROPA). Document all processing activities with purposes, data categories, recipients, retention periods, and security measures.

Question to ask

"List every place you process user data. All of them."

Related items

GDPR-004 Cross-service data deletion GDPR-011 Third-party processors documented

Verification guide

Severity: Critical

GDPR Article 30 requires maintaining a Record of Processing Activities (ROPA) - an internal document of all data processing.

Check automatically:

# Look for data processing documentation
find . -maxdepth 4 -type f \( -name "*processing*" -o -name "*data*map*" -o -name "*data*inventory*" -o -name "*ropa*" \) 2>/dev/null | grep -v node_modules

# Check for GDPR compliance docs
grep -riE "processing.*activit|data.*register|article.*30|ropa|record.*processing" docs/ --include="*.md" 2>/dev/null

# Look for data flow documentation
grep -riE "data.*flow|data.*map|where.*data.*stored|data.*lifecycle" docs/ --include="*.md" 2>/dev/null

Ask user:

  • "Do you maintain a Record of Processing Activities (ROPA)?"
  • "Where is it documented?" (spreadsheet, Notion, compliance tool?)
  • "When was it last reviewed/updated?"
  • "Who owns keeping it current?"

ROPA should include (per Article 30):

Field Description
Processing activity name e.g., "User registration", "Marketing emails"
Purpose Why you process this data
Categories of data subjects Users, employees, prospects
Categories of personal data Email, name, IP, payment info, etc.
Recipients Who receives this data (internal teams, third parties)
Transfers to third countries If data leaves EU
Retention periods How long data is kept
Security measures How data is protected

Cross-reference with:

  • GDPR-004 (data map needed for complete deletion)
  • GDPR-011 (third-party processors are part of ROPA)

Pass criteria:

  • ROPA exists and is documented
  • Covers all significant processing activities
  • Updated when new features/data uses added
  • Owner assigned for maintenance

Fail criteria:

  • No ROPA ("what's that?")
  • Started one but never completed
  • Exists but severely outdated
  • Only in someone's head

Notes: ROPA is mandatory for organizations with 250+ employees, or any org processing sensitive data or high-risk processing. Even if not legally required, it's best practice and essential for responding to GDPR requests.

Evidence to capture:

  • ROPA location (document, tool)
  • Last updated date
  • Owner responsible for updates
  • Completeness (all processing activities covered?)

Section

37. GDPR & Privacy Compliance

Operations & Incident Management

← Previous

GDPR-009

Privacy policy current and complete

 Next →

GDPR-011

Third-party processors documented