GDPR ROPA & DPIA Author
Get Started with This SkillOverview
Guided elaboration of Records of Processing Activities (ROPA) and Data Protection Impact Assessments (DPIA): processing purposes, legal basis, data categories, recipients, retention, safeguards, and DPIA necessity assessment and risk mitigation.
Getting Started
Add your source materials to the project workspace, then activate the GDPR ROPA & DPIA Author skill. The agent will guide you through the process step by step.
Example Conversation
Below is an example of how a typical ROPA/DPIA session unfolds. The agent drafts ROPA entries per processing activity and adds a DPIA for high-risk processing.
You: We need a ROPA for Article 30 covering our HR, marketing, and customer support processing. We also do profiling for ads — do we need a DPIA?
Agent: Yes. Profiling that has legal or similarly significant effects typically requires a DPIA under Article 35. I’ll draft the ROPA with one entry per processing activity (HR, marketing, support, advertising) and add a DPIA section for the profiling. For each ROPA entry I’ll include purpose, legal basis, data categories, retention, and safeguards.
You: Go ahead. Our retention for support tickets is 3 years; HR records 7 years post-employment; marketing consent until withdrawal.
Agent: I’ve created
ropa-dpia.mdwith four ROPA entries and a DPIA for the advertising profiling. Each entry has purpose, legal basis (e.g. Art. 6(1)(b) for HR, (a) for marketing), categories of data, retention, and technical/organisational safeguards. The DPIA describes the profiling, necessity and proportionality, risks (e.g. discrimination, lack of transparency), and mitigation (transparency notice, right to object, human review). Run the validation tool?You: Yes.
Agent: I ran
check_ropa_article30_coverage. Result: ROPA and DPIA sections present; all required elements detected. One info: consider adding categories of data subjects explicitly (e.g. employees, customers, prospects) in the ROPA header. I’ll add that.
Sample Output Excerpt
Below is a representative excerpt from a ROPA document showing one processing activity with Art. 30(1) elements.
Processing activity 2 — Marketing and newsletters
| Field | Content |
|---|---|
| Purpose | Sending marketing communications and product updates; analytics on email engagement |
| Legal basis | Consent (Art. 6(1)(a)); legitimate interest for analytics (Art. 6(1)(f), balanced) |
| Categories of data | Email address, name, preferences, open/click data |
| Data subjects | Prospects, customers who opted in |
| Recipients | Mail provider (processor); no other recipients |
| Transfers | None outside EEA |
| Retention | Until withdrawal of consent or 3 years from last engagement; then anonymised or deleted |
| Safeguards | Encryption in transit and at rest; access control; DPA with processor; opt-out in every email |
Built-in Validation Tools
The skill includes an extension tool that checks ROPA and DPIA documents for Article 30 and Article 35 coverage.
What the tool checks
| Check | Description |
|---|---|
| ROPA section | Detects a Records of Processing Activities (or ROPA / Article 30) section |
| Purpose | Ensures purpose(s) of processing are documented (Art. 30(1)(b)) |
| Legal basis | Ensures legal basis (e.g. Art. 6) is stated for each activity |
| Categories | Ensures categories of personal data and data subjects are present |
| Retention | Ensures retention period or erasure criteria are documented |
| Safeguards | Ensures technical and organisational safeguards are described |
| DPIA risk and mitigation | If a DPIA section exists, ensures risks and mitigation measures are present (Art. 35(7)(c)(d)) |
Run check_ropa_article30_coverage on the ROPA or DPIA document after drafting or updating to ensure completeness.