GDPR A30-01: Records of Processing Activities for Controllers
Under GDPR Article 30, controllers must maintain comprehensive written records of all processing activities—a foundational compliance requirement that auditors scrutinize first. Without organized, documented proof of your data handling practices, you risk regulatory findings and failed audits. This guide walks you through what records you need, how to structure them, and how to keep them audit-ready.
What this means
GDPR A30-01 requires you to create and maintain a written record (often called a Records of Processing Activities or RoPA) that documents every processing activity your organization conducts. This record must include: your organization's identity as the controller; the specific purposes for processing data; the categories of data subjects and personal data you handle; who receives that data (internal teams, vendors, partners); any international data transfers and their safeguards; how long you retain each data type; and a summary of the technical and organizational security measures protecting the data. This record serves as your primary evidence of GDPR accountability and is typically the first document regulators request during investigations or audits.
How to comply
- 1.Identify all processing activities across your organization by department, system, and business function
- 2.Document each activity with: controller identity, processing purpose, data subject categories, and personal data types involved
- 3.List all recipients of the data, including internal departments, processors, and third-party vendors
- 4.Record any transfers of data outside the EU/EEA and the legal mechanisms enabling those transfers
- 5.Establish and document retention schedules for each data category
- 6.Describe the technical measures (encryption, access controls, backups) protecting the data
- 7.Describe organizational measures (policies, training, audit schedules) protecting the data
- 8.Centralize the record in an accessible location and ensure it's maintained as an evolving document
- 9.Review and update the record annually or whenever processing activities change
Evidence auditors look for
- A completed Records of Processing Activities (RoPA) document listing all data processing activities
- Processing activity register with columns for controller, purpose, data categories, recipients, retention, and security measures
- Data flow diagrams showing movement of personal data through your systems and to third parties
- Data retention policies linked to specific processing purposes
- Technical security documentation (encryption protocols, access control matrices, backup procedures)
- Organizational security policies (data handling procedures, employee training records, incident response plans)
- Data Processing Agreements with third-party processors documenting their roles and obligations
- Records of Data Protection Impact Assessments (DPIAs) for high-risk processing activities
- Audit trail or change log showing updates to the RoPA over time
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch's automated processing activity discovery and RoPA generator maps your data flows, consolidates processing documentation, and keeps your records updated as systems change—eliminating manual spreadsheet maintenance and ensuring auditors always find your records current and complete.
See how GRCWatch handles this control automatically
Start free trial