RoPA | Data Mapping


Keep the control over all your processing activities and manage the data your company deals with visually. Let us show you how:

Have a global vision of your company's data

Automate the process of creating your data map and assists you with the registration of your data processes 

Assisted process

Generate a record of all your data processing activities with one-click. Easy to keep up to date.

Visual map 100% updated

Visually and concisely identify the data your company deals with in real time

Automatically generated

Based on previously identified processing activities

Manage record of processing activities (RoPA)

Pridatect assists you with the registration of your data processes

Data mapping with Pridatect

Automatic data map generator


To keep a register of processing activities is a new corporate responsibility, set out in Article 30 of GDPR, which implies a clear and complete overview of all processing activities taking place within an organisation, and their consequent documentation. This process will require proactive collaboration by organisations.


Data controllers shall be responsible for keeping up-to-date records of all processing activities taking place within the organisation.

The records shall contain the following information:


  • The name and contact details of the controller and, where appropriate, of the processor;
  • The purposes of the processing;
  • A description of the categories of data subjects and of the categories of personal data;
  • The categories of recipient to whom the personal data have been or will be sent, including recipients in third countries or international organisations;
  • Transfers of personal data to a third country or international organisation, including documentation of appropriate safeguards;
    time limits for the deletion of different categories of data;
  • Time limits for the deletion of different categories of data;
  • An overview of the technical and organisational measures implemented.

According to GDPR, it is not compulsory when the company has less than 250 workers.

However, there are some exceptions. If an enterprise has fewer than 250 employees, it is always mandatory, no matter how many employees, to keep a record of processing activities, if the data processed:

  • Is likely to present a risk to the rights and freedoms of the data subjects
  • Is related to convictions and criminal offences
  • On a non-occasional basis, includes special categories of personal data (indicated in article 9 of GDPR)
  • Racial or ethnic origin
  • Political opinion
  • Religious or philosophical beliefs
  • Union membership
  • Processing of genetic data
  • Biometric data aimed at uniquely identifying a natural person
  • Data concerning health or data concerning the sexual life or sexual orientations of a natural person

The record of processing activities must always be in electronic format. However, it is also valid in written format & must always be up to date.

The record will provide an overview of all data processing activities within the organisation and therefore allow organisations to control what type of data categories are being processed, by whom (which departments or business units) and for what underlying purposes. This knowledge will allow organisations to make internal connections, join efforts or projects with the same or equivalent objectives and/or challenges and result in greater control over data processing activities. This will provide insight into risks and necessary mitigation actions, and will inevitably empower organisations to do more – and in a well-ordered way – with the personal data available.

Any successful data protection program starts with understanding what kind of data a company collects, stores, processes, shares and disposes of.


Having a visual element such as a data map allows you to have an overview of what data the company handles and whether it is transferred from one location to another either internally or externally.

In addition, the data visualisation will help employees to easily follow the personal data flows in the organisation and managers to have full control of all data. 


A data map visually shows the processing activities, i.e. the data that a company is processing, and to whom it is communicating (the recipients). 

These processing activities must be predefined in order to comply with the requirements of art. 30 of GDPR. This article indicates that each data controller must keep a record of the processing activities.


A comprehensive data flow map to help ensure GDPR compliance will show all the data that exists in the company and where it is moving in and out of the company. When data mapping for GDPR make sure to include the following:


  • What data is being handled, is it sensitive data or not?
  • Where is the data stored?
  • Where does the data go?




Get started today

Discover how Pridatect can help you in taking control of your companies data protection

Do you have any questions? Get in touch with our sales team.

☏ +44 7427 505253 | Monday to Friday from 8:00 to 17:00 GMT