Records of Processing Activities (ROPA)
Records of Processing Activities (ROPA) are an organization’s inventory of what personal information it collects, why, where it lives, and who it is shared with.
A ROPA is a living map of your data: for each activity it captures the *purpose*, the *categories of personal information* and individuals, *recipients* (including third parties and processors), *retention periods*, storage *locations*, and the safeguards in place.
The term comes from the EU GDPR (Article 30), but the underlying discipline is essential in Canada too. Law 25 effectively demands this level of visibility to meet its transparency, retention, and transfer obligations, and it underpins any credible PIPEDA accountability program.
Practically, a good ROPA is the foundation for everything else — responding to access requests, running a PIA, honouring retention limits, and reacting fast during a breach. You cannot protect data you have not inventoried.