Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
ROPA detail pageBrowse Records of Processing ActivitiesCreate a ROPA entryEdit a ROPA entry
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

ROPA detail page

Review all attributes, linked elements and risks of a single ROPA entry.

ROPA Detail Page

The ROPA detail page is your command centre for a single Record of Processing Activities (ROPA). Whether you are a Data Protection Officer verifying that a new processing activity is documented correctly, a compliance officer linking personal data types and legal bases, or a risk manager rating the severity of a risk scenario, this is where all of that work happens. Every tab on this page represents a different dimension of the same processing activity — and every edit, link, or risk assessment you make here feeds directly into your organisation's overall compliance picture under GDPR Article 30 and any other applicable regulation.

How to open it

Navigate to Records of Processing Activities in the left sidebar. In the overview table, click on any ROPA record's name. You will land on the detail page for that record with the General tab active.

There is no direct menu shortcut to a specific record — the overview list is always the entry point. Direct URLs (e.g. from a notification email or a workflow approval link) will also bring you here.

You need ROPA read access to view this screen. If you do not have that permission, the Records of Processing Activities menu item will not appear in the sidebar at all, and visiting the URL directly will redirect you to the dashboard.

Screenshot

What you see

The page is divided into two main areas. On the left is a vertical tab menu — a list of labelled sections such as General, Personal Data, Purpose of Processing, Affected Persons, Legal Basis, and many more. Clicking any tab reloads only the right-hand content area, so navigation feels instant. A small circular icon at the far left of the page lets you collapse this menu entirely, which is useful when you are working with wide tables such as the External Recipients list.

The right-hand content area has two fixed zones at the top that stay visible as you navigate between tabs:

  • A breadcrumb bar showing "Records of Processing Activities" (as a clickable link back to the overview), the current record's name, and the active tab name. If you arrived here from a filtered list, left and right arrow icons appear in the breadcrumbs so you can step to the previous or next record without going back to the list.
  • A sticky header showing the responsible person(s), the current workflow status badge (for example "Draft" or "Active"), and the date the record was last updated.

Below those fixed zones, the content changes completely depending on the active tab. On the General tab you see a read-only summary card of the core metadata fields. On any other tab you see a searchable, sortable table of linked elements — personal data types, purposes, vendors, risk scenarios, and so on — with action buttons to add or remove items.

Working with this screen

Reviewing a newly created ROPA and marking it active

When a colleague submits a new ROPA as a Draft, you will typically receive a notification with a direct link. Clicking that link brings you straight to the detail page.

Start on the General tab. Read through the record's name, brief description of processing, the applicable regulations, the legal role (Controller, Processor, or both), and the responsible person. If the information looks complete and correct, click the status badge in the sticky header — it opens a small dropdown. Select Active to confirm that the processing activity has been reviewed and is now live in your records. The badge updates immediately without a page reload.

If several ROPAs need reviewing, use the left and right arrow icons in the breadcrumb bar to step to the next record in your current filtered list. You do not need to return to the overview each time.

Linking data elements to an existing ROPA

When a ROPA has been migrated from a spreadsheet or was created with only the basic fields filled in, you will need to attach all its linked elements: personal data types, affected persons, legal bases, external recipients, assets, and so on.

Click the Personal Data tab in the left menu. If nothing is linked yet, the table is empty. In the top-right corner of the table you will see a button group:

  • The primary Create button opens a dropdown with options such as "Create Personal Data" or "Create Collection". Use this when the item does not yet exist anywhere in your DPMS library — it navigates you to the creation screen, and on saving, DPMS returns you here automatically.
  • The Link button opens a search-and-select panel listing all existing personal data types in the system. Use this when the item already exists (for example, "Email Address" is probably already used in several other ROPAs). Select the items you need and click Save. The linked items appear immediately in the table.
  • The AI generation button (the star/sparkle icon) asks the DPMS AI assistant to suggest personal data types based on the ROPA's brief description and applicable regulation. This button is only available if your organisation has AI features enabled and you have the necessary permission. It is disabled if an AI job is already running on this record.

Repeat the same process on the Affected Persons tab. Here, each row also shows a Number of Affected Persons column where you can select a range (for example "1,000–10,000") to document the approximate scale of the processing activity — a requirement under GDPR Article 30.

For the External Recipients tab, each linked vendor row includes two additional selectors:

  • Vendor Type — classify the recipient's role (Processor, Joint Controller, Third Party).
  • Legal Basis / International Transfer — if the recipient is in a country outside the EEA, specify the safeguard used (Standard Contractual Clauses, Adequacy Decision, etc.).

On the DPIA tab, each linked DPIA row includes an Applicable Regulation selector to clarify which regulation triggered the DPIA requirement for this processing activity.

After linking items on any tab, the unlink icon (the broken-link icon on each row) lets you remove a relationship without deleting the underlying element from your library.

Assessing and updating a risk scenario

Click the Risk Scenarios tab. You will see a list of process risk scenarios linked to this ROPA, each showing its current risk score and priority level (colour-coded from Very Low to Very High).

Click on a risk scenario row to open its detail sub-form. The form shows:

  • A risk table — rows for each likelihood factor and each damage factor defined in your organisation's Process Risk Model. For each factor, radio buttons let you choose Very Low, Low, Medium, High, or Very High. As you click, the Current Risk Score and the colour-coded risk priority badge update in real time so you can see the impact of your ratings immediately.
  • A Controls / TOMs selector — a searchable multi-select dropdown for attaching Technical and Organisational Measures to this risk scenario. Linking a TOM here documents that a specific security control is in place to mitigate this risk.
  • A Reasons for Risk Classification text area — a free-text field (supporting multiple languages) where you document why you assigned this risk level. If AI is enabled, a small assist button appears here to help you draft the justification.

When you are satisfied, click Save. Your ratings are submitted and you are returned to the ROPA detail page.

Heads up: If your organisation has not yet configured a Process Risk Model in Risk Settings, the save will be blocked and a toast message will appear with a direct link to the Risk Settings screen. Set up the risk model first, then return here.

Reviewing the change history during an audit

Click the clock icon (activity log button) in the top-right corner of the content area. A slide-out drawer opens showing the complete change history of this ROPA record: who made each change, what they changed, and when. This is the evidence you need during a regulatory inspection to demonstrate that the ROPA has been actively maintained.

The activity log button is only visible to users who have changelog read access for ROPA. It is also hidden when viewing a historic snapshot of the record.

Controlling who can see a sensitive ROPA

Some processing activities — such as HR payroll or employee monitoring — should only be visible to specific teams or named individuals.

Click the Manage Access tab at the bottom of the left menu. You will see two fields:

  • Audiences — a multi-select dropdown for selecting predefined audience groups (for example "HR Department Audience"). Everyone in the selected audience group will be able to view this ROPA.
  • Users — a user search field for adding named individuals who should have access regardless of their audience group.

Select the appropriate audiences and users, then click Save. The access settings take effect immediately. Only the audiences and users you select will be able to view this ROPA in shared views and the Privacy Portal.

Configuring the Collections vs. individual items view

On the Personal Data and Purpose of Processing tabs, a toggle switch appears in the top-right of the table. It switches between two views:

  • Collections — shows linked attribute template collections (grouped concepts such as "Contact Data" covering Name, Email, and Phone).
  • Personal Data / Purpose of Processing — shows individually linked items.

Use the Collections view if your organisation groups data types into reusable templates. Use the individual view if you prefer a flat list. Your choice is remembered in your browser, so the tab will open the same way next time.

Reassigning the responsible person

If the DPO or compliance officer responsible for this ROPA changes, click their name chip or avatar in the sticky header. A multi-select dropdown opens. Search for and select the new responsible person(s) and close the dropdown — the change is saved automatically without needing to open the edit screen.

Field reference

The General tab displays the following read-only fields. To edit them, click the Edit (pencil) button in the top-right of the General card.

Field

What it shows

Name

The name of this processing activity (supports multiple languages).

Organisational Unit

The department or team that owns this activity. If departments are enabled, the department name appears in brackets.

Brief Description of Processing

A plain-language summary of what is processed and how. This field is used by the AI assistant to suggest linked elements — the more detail you add, the better the suggestions.

Type

The legal role(s) of your organisation for this activity: Controller, Processor, or both.

Classification

Category tags applied to this ROPA (from the ROPA Classifications tag library).

Controller

The vendor(s) acting as controllers. If your organisation is the controller and no vendor is linked, your company name is shown automatically.

Applicable Regulations

The regulatory frameworks that apply (e.g. GDPR, CCPA). Important: these must be set before you link Legal Basis or Special Categories, because the available options on those tabs are filtered by the regulations selected here.

Need to Process

A brief explanation of why this processing is necessary.

Custom fields

Any organisation-specific fields added by your administrator.

How this connects to the rest of DPMS

The ROPA detail page sits at the centre of the DPMS compliance ecosystem. Almost every other module either feeds into it or depends on it:

  • Links IN: Clicking a ROPA row in the overview list, saving an edit from any tab's edit screen, clicking a direct link in a notification email or workflow approval, and the ROPA tab on a DPIA detail page all bring you here.
  • Links OUT: Every tab provides clickable rows that navigate to the relevant element's own detail page — assets, vendors, DPIAs, tasks, documents, and more. The Edit button on the General card takes you to the edit form for that tab. The Create button on each linked-element tab takes you to the creation screen for that element type, with a return path back here.

Downstream effects to be aware of:

  • The Applicable Regulations field on the General tab controls which legal bases and special categories appear as options on the Legal Basis and Special Categories tabs. Set regulations first.
  • The Brief Description of Processing field is the primary input the AI assistant uses to generate suggestions for personal data, purposes, affected persons, assets, and risk scenarios on other tabs. A vague description leads to vague suggestions.
  • The External Recipients you link here (and their countries) populate the "Data Transfer" indicator that appears on the ROPA overview list.
  • The Manage Access settings you configure here determine which audiences and users can view this ROPA in the Privacy Portal or shared compliance views.
  • Once you finish setting up a ROPA, consider running an AI generation pass on the tabs that are still empty, then review the suggestions before confirming them.

Tips & common pitfalls

Heads up: Set your Applicable Regulations on the General tab before working on the Legal Basis and Special Categories tabs. Without regulations selected, the available options on those tabs will either be unfiltered or generate a warning when you try to save.
Tip: Use the breadcrumb arrows to step through multiple ROPAs during a review cycle. This is far faster than repeatedly returning to the overview list.
  • The Collections / individual items toggle is stored in your browser, not on the server. If you use a different browser or clear your browser data, the toggle will reset to its default position. This sometimes causes confusion when the same tab looks different on a colleague's screen.
  • All edit buttons across every tab are disabled while an AI generation job is running. There is no real-time progress bar on the detail page — you will see a tooltip explaining that the record is being processed by AI. Wait for the toast notification confirming completion, then reload the page to continue editing.
  • Child ROPAs inherit most fields from their parent and cannot be edited independently. If you open a ROPA and find that the name, description, applicable regulations, and type fields are all greyed out, it means this is a child ROPA linked to a parent record. You can only change the responsible person, organisational unit, and organisational unit name. Contact your DPMS administrator if the parent data needs to change.
  • The Controller field behaves differently depending on the legal role. If this ROPA's legal role is "Processor", an additional "Vendor Controllers" field appears to document on whose behalf you are processing. If the legal role is "Controller only", that field is hidden. The displayed controller value falls back to your company name if no vendor controller has been explicitly linked — this is expected behaviour, not a data gap.
  • A Process Risk Model must be configured in Risk Settings before you can save any risk assessments. If you rate likelihood and damage factors on the Risk Scenarios tab and then click Save, but your organisation has never set up a risk model, the save will fail with a toast message containing a direct link to the Risk Settings screen.


Was this article helpful?

English
Powered by Product Fruits