The RoPA is a GDPR-mandated document that helps you map out how personal data is processed in your business. It’s basically a data inventory: a structured record of what data you collect, why you collect it, where it goes, how long you keep it, and how it’s protected.
Required by Article 30 of the GDPR for businesses that process personal data regularly—like your agency or your clients using DropSaaS.
What Does It Contain?
Each entry in the RoPA describes one processing activity, such as:
• Registering a new user on your platform
• Sending SMS
• Providing customer support via chat
For each activity, you document:
Purpose: Why you are processing the data (e.g. user registration, support)
Data Categories: What types of data you collect (e.g. name, email, IP address)
Data Subjects: Who the data belongs to (e.g. users, clients, staff)
Legal Basis: On what legal ground you process it (e.g. consent, contract)
Recipients: Who gets access to this data (e.g. SaaS provider, email tool)
Third Country Transfers: Whether data goes outside the EU and how it's protected
Retention Period: How long you keep the data
Security Measures: How you protect the data (e.g. encryption, access control)
How It Works (in practice)
- You fill in one row per processing activity (we’ve already included common ones in the file).
- You update it as your data flows change — for example, if you add a new tool like Intercom or change how you handle support.
- You keep this document available in case of a GDPR audit or if a client/user requests information about their data processing.
Why It’s Useful for Agencies
✅ Legal compliance: It’s a core part of demonstrating accountability under GDPR.
✅ Client confidence: You show professionalism and transparency to your clients.
✅ Risk reduction: Helps you detect risky or non-compliant data practices.
✅ Easier collaboration: If your clients ask how their data is handled, you already have the answer.