GDPR Data Mapping Checklist — Article 30 Records of Processing Activities

Processing activities include collection, storage, use, disclosure, and deletion of personal data. Common gaps: shadow IT systems, HR data outside the main HRIS, marketing cookies and tracking pixels, CCTV, and access logs. Survey department heads using a structured template.

Your ROPA must name the data controller (the legal entity, not the DPO). If you have joint controllers under Article 26, both must be listed and the arrangement documented. Non-EEA controllers who must designate an EU representative under Article 27 must also include that representative's details.

Purposes must be specific — 'marketing' is not sufficient; 'sending promotional emails to opted-in subscribers about our SaaS product' is. The documented purpose constrains what you can legally do with the data and determines the appropriate lawful basis.

The six lawful bases under Article 6 are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. You must identify one basis per processing activity before you begin processing. 'Legitimate interests' requires a balancing test (Article 6(1)(f)) — document it.

Categories of data subjects: employees, customers, prospects, website visitors, suppliers. Categories of data: name, email, IP address, location data, payment information, behavioral data. Be specific — 'customer data' is not adequate. Flag any special category data (Article 9) or criminal conviction data (Article 10).

For each processing activity, list every entity that receives the data: analytics providers, CRM vendors, payroll processors, cloud hosting providers, legal advisers. Note whether each recipient is a controller, processor, or joint controller — it determines your contractual obligations under Articles 26 and 28.

Data transfers outside the EEA — including to US-based SaaS vendors, cloud providers, and group companies — require a transfer mechanism: adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or Article 49 derogation. Post-Schrems II, document the transfer impact assessment (TIA) for each US transfer.

You must either specify a retention period or document the criteria used to determine it (e.g., 'retained for the duration of the customer relationship plus 3 years for legal claims'). Indefinite retention violates the storage limitation principle. Align with legal hold obligations and sector-specific retention requirements.

A data flow diagram or process map (in addition to the ROPA) helps identify transfer risks, access control gaps, and breach notification scope. Tools like Lucidchart, draw.io, or specialized privacy tools (OneTrust, Osano) can automate this. The map should show data at rest and in transit.

Every vendor who processes personal data on your instructions must have a signed Article 28 DPA covering the mandatory clauses: subject matter, duration, nature, purpose, type of data, obligations and rights of the controller. Major vendors (AWS, Google, Salesforce, HubSpot) have standard DPAs — execute them, don't just accept the vendor's standard ToS.

An LIA documents: the legitimate interest pursued, whether processing is necessary for that interest, and whether the data subject's interests override yours (the balancing test). The LIA must be documented before processing begins and reviewed when circumstances change.

The ROPA must reflect current processing, not just the state at initial documentation. Assign ownership: typically the DPO maintains the ROPA, but business units must notify the DPO of new data processing activities before they launch, not after.

Special category data (health, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, sexual orientation, trade union membership) can only be processed under one of the 10 specific Article 9(2) derogations. Document which derogation applies, maintain evidence of the legal basis, and apply enhanced security measures.

The ROPA must be in writing — including electronic format. Verbal records are not compliant. You must make the ROPA available to the supervisory authority on request. An audit by the ICO or CNIL that discovers no ROPA exists results in enforcement action without requiring evidence of any underlying data breach.

If your organization processes personal data on behalf of controllers (you are a B2B service provider handling customer data), you must maintain a processor ROPA covering categories of processing, transfers, and security measures under Article 30(2). This is separate from your controller ROPA.

Article 30 does not require detailed security documentation in the ROPA, but it does require a 'general description' of security measures. Reference your information security policy, encryption standards, access control approach, and pseudonymization practices. Link to more detailed security documentation.

Your privacy notice must disclose many of the same elements as your ROPA: purposes, lawful bases, recipients, transfers, retention periods. Discrepancies between the ROPA and privacy notice — e.g., a processing activity in the ROPA that is not disclosed in the privacy notice — are Article 13/14 violations in addition to Article 30 deficiencies.

The ROPA is your DPIA trigger identification tool. Processing activities that involve systematic profiling, large-scale special category data, or novel technologies likely require a DPIA. Annotate the ROPA with DPIA status: required, completed, not required (with rationale).

If your processors use sub-processors (e.g., your CRM vendor uses AWS), your DPA must permit this and require the processor to impose the same data protection obligations on sub-processors. Review sub-processor lists for all key vendors and assess sub-processor risks.

If a DPO is required or voluntarily appointed, their contact details must appear in the ROPA and be communicated to the supervisory authority. The DPO's contact details must also appear in your privacy notice. The DPO must be involved in all data protection matters, including ROPA maintenance.

Without clear ownership, ROPAs become stale. Assign ownership to the DPO or privacy team. Establish a review cycle — at minimum annually, plus event-triggered updates for new processing activities, vendor changes, and organizational restructuring.

The accountability principle requires controllers to demonstrate compliance with all Article 5 principles. The ROPA is the core accountability document for processing activities. It should be supported by policies, training records, DPIAs, consent records, and DPA agreements — collectively these form your accountability framework.