ROPA in LGPD? Get to Know the Records of Processing Activities.

ROPA in LGPD? Get to Know the Records of Processing Activities.

9 months ago
João Bruno Soares
5 minutes

ROPA in LGPD? Get to Know the Records of Processing Activities

The LGPD - General Data Protection Law brought with it several acronyms and specific terms. Many of them imported from other countries and legislations. One of them is ROPA (Record Of Processing Activities), adapted in Brazil to Registros das Atividades de Tratamento. An essential document for any DPO, Data Processor.

If you work in the field or are in the process of adapting your company, this article was made to help you better understand this document.

ROPA (Record Of Processing Activities), is nothing more than a document that organizes the company's official records about:

  • How data collection is done, its processes, and activities;
  • What is done with the data, if there is any processing or sharing;
  • How data is deleted, if applicable.

In other words, the essential questions and answers in case of consultation by the ANPD - National Data Protection Authority, to your company. Below, we'll discuss each of these points in more detail.

It's worth noting that all documents and processes mapped by the company's Data Processor are "living," constantly being updated and changed. A new process created in department X can change the ROPA, the Privacy Policy, and many other controls.

So, regardless of the size of your company, documents should always reflect reality and be constantly updated.

Smaller companies may not feel the need or complexity of keeping these "Mapping of flows" updated, after all, everything is smaller and involves fewer people. Now, for a larger company, there are already software solutions that help with this control in a more automated way, such as LGPDNOW, for example.

What is ROPA?

ROPA (Record Of Processing Activities), translated by the Brazilian market to Records of Processing Activities, is an official document of companies, generated by a system or not, that records all flows, processing, and activities involving personal data.

In it, mainly list all the purposes and reasons why the company needs that data(s) for its operation, legal basis (Legal Basis), security criteria, data storage/retention period.

Is ROPA the Same as Data Mapping?

The easy answer is: it depends.

Data Mapping or Data Inventory functions as a visual map of the flow of personal data within the Data Controller, bringing much more than ROPA, such as system and international transfer maps, ISO compliance parameters, NIST, among others.

On the other hand, ROPA focuses on activities involving data processing. In a more structured company, it may happen that a Data Mapping contains some ROPAs as part of it.

In any case, recording activities is an essential part of both documents. The perspective and methodology applied in each can be their differential.

What Should a ROPA Include?

According to the ICO (Information Commissioner’s Office), a ROPA must include at least:

  • Name and contact details of your organization, whether it's a controller or a processor (and where applicable, the joint controller, its representative, and the DPO);
  • The purposes of processing;
  • A description of the categories of individuals and personal data;
  • Categories of recipients of personal data;
  • Details of transfers to third countries, including a record of the safeguards in place for the transfer mechanism;
  • Retention/storage times;
  • A description of the technical and organizational security measures in place.
  • If you have an internal record of all processing activities carried out by any processor on behalf of your organization.

### Questions the ROPA Should Answer:

  • Have you considered the effectiveness of your accountability measures?
  • Would staff say you have effective processes to keep the record up-to-date, accurate, and ensure data is minimized?
  • Could staff explain their responsibilities and how they carry them out in practice?

Best Practices for a Good ROPA.

Also, according to the ICO (Information Commissioner’s Office), ROPA also includes or links to documentation covering:

  • Information needed for privacy banners, such as the legal basis for processing and the source of personal data;
  • Consent records;
  • Controller-processor contracts;
  • The location of personal data;
  • DPIA reports;
  • Records of personal data breaches;
  • Information needed for processing special category data or criminal conviction and offense data under the Data Protection Act 2018 (DPA 2018); and
  • Retention and deletion policy documents.

Questioning for the creation of your ROPA:

  • Have you considered the effectiveness of your accountability measures?
  • Do staff understand how to access other relevant documents linked to the ROPA?
  • Is it easy for staff to access relevant documentation from the ROPA?
  • Could staff explain this process and how it impacts their role?

How to Create a ROPA for LGPD?

A good example for those starting out or with a smaller company is to use spreadsheets for this control and organization.

In addition, on the gov.br website, there are various guides and templates to help you comply with LGPD.

For larger companies that need to structure these processes better, a privacy management and data mapping platform can be very helpful!

That's why we recommend that you schedule a meeting with the LGPDNOW team for a no-obligation conversation to see how they can help you develop your ROPA for LGPD.

Templates and models imported from other companies can be very helpful. But it's essential that you can clearly and objectively translate the reality of your company.

Every time we are faced with the complexity of justifying and basing the collection of data, we should always prioritize privacy throughout all processes, as taught by Privacy by Design.

How Can AdOpt Help with ROPA?

According to the recommendations of the ICO listed above, AdOpt's LGPD Platform helps you map and organize:

  • Cookie Banner within ICO, LGPD, GDPR, CCPA standards.
  • Records of all written consents; (organized by user with date, time, and details of each consent.)
  • API Integration with your other platforms to enrich the collected data with the consent information recorded.
  • And more, depending on the size of your company.

We're here to help!

So, in this link, our calendar is open to discuss your business's adaptation challenges.


Legal basis
Data Protection Officer - DPO
Privacy Policy

Related posts

AdOpt post

Understand the legal bases of the LGPD

At the beginning of everything are the legal bases of the LGPD, that is, the legal grounds (legitimate reasons) why companies not only can, but must access customer data in order to do their jobs well.

AdOpt post

Why are cookie banners everywhere?

Want to understand why there are cookie banners on every website you visit today? This article is for you!

AdOpt post

Best practices in tag categorization

It's time to talk about one of the most impactful tasks, both for the company and for the visitors of your websites: tag categorization. But why is it so impactful? What is the relevance of this configuration and how can it affect us? It is precisely because of these common questions we receive from our clients that we have written this article on best practices in tag categorization.

AdOpt post

What is the difference between cookies, local storage, and session storage?

Despite cookies being more well-known, what is the main difference between cookies and session storage and local storage? Why choose one over the other? This article will help you with these doubts!

AdOpt post

What is a privacy policy?

A privacy policy is a document that outlines how an organization collects, uses, discloses, and manages a customer's data. It's essential for building trust with users and complying with legal requirements. However, if you're not familiar with it, don't worry as we're here to help you.

AdOpt post

Tips on how to notify users after a change on the Terms of Use.

Terms of Use are quite literally the contract established between you and the company offering that product or service in a digital manner. Therefore, not only their development but also any eventual changes require careful consideration.

AdOpt post

5 Signs Your Website Needs an Cookie Consent Strategy

How does your website handle LGPD? What strategies does it use to comply with the General Data Protection Law? Have you thought about using a cookie notice but don't know if your site has cookies or if it's enough? If you can't answer these questions, be cautious! Your page may be exposed to fines and other sanctions.

AdOpt post

Why Give Consent on Every Website I Visit?

Have you ever noticed that every time you sign up for a service to access information or register on a website for purchases, you need to give consent? If you're wondering why you have to give consent on every website you visit, you'll find the answer here.

AdOpt post

GDPR and Cookies all you need to know

Understanding the General Data Protection Regulation (GDPR) and its impact on cookies is essential. So, let's break it down, step by step.

AdOpt post

Understand the meaning of the LGPD for your company

Surely you've already seen the predictions of fines and sanctions, processes. But, what does it mean to your company?

AdOpt post

10 Marketing Processes You Should Rethink under the LGPD!

In the end, our goal has never been to predict doom for companies or to be part of the LGPD's Apocalypse Cavalry. But, since we've been in the market for some time, these kinds of issues always catch our attention when we start data mapping and having conversations with colleagues.

AdOpt post

The Differences Between Data Controller and Data Processor - LGPD

Now that we have the data flow within your company, we need to highlight 2 aspects of LGPD that will help you determine the extent of your responsibility in relation to the many points listed in the company. I'm talking about the difference between Data Controller and Data Processor.

AdOpt post

GDPR, LGPD, and CCPA: What Are These Laws, Similarities, and Differences

LGPD, GDPR, and CCPA are data privacy regulations. In this article, we discuss their similarities and differences for practical application.

AdOpt post

Data Mapping or Data Inventory - a life jacket for the DPO!

With the data mapping we have a clear understanding of the 5 stages that every data goes through in a company.

AdOpt post

Responsibilities of a data protection officer.

Drawing an analogy from the world of soccer, we can think of the DPO as the "midfielder" of the team, responsible for connecting the defense and the attack.

AdOpt post

What is the ideal privacy policy for your company?

Is there an ideal and _foolproof_ Privacy Policy? This is one of the most difficult questions to answer nowadays. Especially considering all the jurisprudence already established in Europe with the GDPR, the extensive history of cases, and the numerous tips we see in the market. Not to mention the judicial decisions that are already emerging in Brazil with the LGPD.

AdOpt post

What are Terms of Use and their importance for the LGPD?

Ignoring Terms of Use and their significance within a website, particularly now with LGPD, is a common mistake that both consumers and website owners frequently commit.

AdOpt post

Texas TDPSA and Cookies: All You Need to Know

Your website have users accessing from Texas? So be ready… the Texas Data Privacy and Security Act is here to shake things up. Don't worry; we've got your back. This guide will walk you through everything you need to know to ensure your website complies with the new regulations.

AdOpt post

Florida FDBR and Cookies: All You Need to Know

Are you ready for the Florida Digital Bill of Rights (FDBR)? If your website has users from the Sunshine State, you better be! With new regulations coming into play, it's important to ensure your website complies to avoid any nasty surprises. Let's dive into the details and get your site ready for Florida's latest privacy law.

AdOpt post

Oregon OCPA and Cookies: All You Need to Know

The Oregon Consumer Privacy Act (OCPA) is a regulation designed to enhance consumer privacy rights in Oregon. By setting strict guidelines on how businesses collect, process, and share personal data, the OCPA aims to give consumers more control over their personal information and ensure businesses handle this data responsibly.

Address: 7345 W Sand Lake Road, Ste 210 Office 5898 Orlando, FL 32819
EIN: 86-3965064
Phone: +1 (407) 768-3792



Legal Terms

© GO ADOPT, LLC since 2020 • Made by people who love