# GDPR ROPA & DPIA Author > Guided elaboration of Records of Processing Activities (ROPA) and Data Protection Impact Assessments (DPIA): processing purposes, legal basis, data categories, recipients, retention, safeguards, and DPIA necessity assessment and risk mitigation. Tags: GDPR, Privacy, ROPA, DPIA, Compliance, Data Protection ## Example Prompts - Draft our ROPA for Article 30 with all processing activities - Complete each ROPA entry with purpose, legal basis, retention, and safeguards - Draft a DPIA for our new profiling use case - Check that our ROPA and DPIA have all required elements URL: https://rakenne.app/skills/gdpr-ropa-dpia-author/index.md Try this skill: https://rakenne.app/a/?skill=gdpr-ropa-dpia-author ## Overview Guided elaboration of Records of Processing Activities (ROPA) and Data Protection Impact Assessments (DPIA): processing purposes, legal basis, data categories, recipients, retention, safeguards, and DPIA necessity assessment and risk mitigation. ## Getting Started Add your source materials to the project workspace, then activate the *GDPR ROPA & DPIA Author* skill. The agent will guide you through the process step by step. ## Example Conversation Below is an example of how a typical ROPA/DPIA session unfolds. The agent drafts ROPA entries per processing activity and adds a DPIA for high-risk processing. > **You:** We need a ROPA for Article 30 covering our HR, marketing, and customer support processing. We also do profiling for ads — do we need a DPIA? > > **Agent:** Yes. Profiling that has legal or similarly significant effects typically requires a DPIA under Article 35. I'll draft the ROPA with one entry per processing activity (HR, marketing, support, advertising) and add a DPIA section for the profiling. For each ROPA entry I'll include purpose, legal basis, data categories, retention, and safeguards. > > **You:** Go ahead. Our retention for support tickets is 3 years; HR records 7 years post-employment; marketing consent until withdrawal. > > **Agent:** I've created `ropa-dpia.md` with four ROPA entries and a DPIA for the advertising profiling. Each entry has purpose, legal basis (e.g. Art. 6(1)(b) for HR, (a) for marketing), categories of data, retention, and technical/organisational safeguards. The DPIA describes the profiling, necessity and proportionality, risks (e.g. discrimination, lack of transparency), and mitigation (transparency notice, right to object, human review). Run the validation tool? > > **You:** Yes. > > **Agent:** I ran `check_ropa_article30_coverage`. Result: ROPA and DPIA sections present; all required elements detected. One info: consider adding categories of data subjects explicitly (e.g. employees, customers, prospects) in the ROPA header. I'll add that. ## Sample Output Excerpt Below is a representative excerpt from a ROPA document showing one processing activity with Art. 30(1) elements. --- ### Processing activity 2 — Marketing and newsletters | Field | Content | |-------|---------| | **Purpose** | Sending marketing communications and product updates; analytics on email engagement | | **Legal basis** | Consent (Art. 6(1)(a)); legitimate interest for analytics (Art. 6(1)(f), balanced) | | **Categories of data** | Email address, name, preferences, open/click data | | **Data subjects** | Prospects, customers who opted in | | **Recipients** | Mail provider (processor); no other recipients | | **Transfers** | None outside EEA | | **Retention** | Until withdrawal of consent or 3 years from last engagement; then anonymised or deleted | | **Safeguards** | Encryption in transit and at rest; access control; DPA with processor; opt-out in every email | --- ## Built-in Validation Tools The skill includes an extension tool that checks ROPA and DPIA documents for Article 30 and Article 35 coverage. ### What the tool checks | Check | Description | |-------|-------------| | **ROPA section** | Detects a Records of Processing Activities (or ROPA / Article 30) section | | **Purpose** | Ensures purpose(s) of processing are documented (Art. 30(1)(b)) | | **Legal basis** | Ensures legal basis (e.g. Art. 6) is stated for each activity | | **Categories** | Ensures categories of personal data and data subjects are present | | **Retention** | Ensures retention period or erasure criteria are documented | | **Safeguards** | Ensures technical and organisational safeguards are described | | **DPIA risk and mitigation** | If a DPIA section exists, ensures risks and mitigation measures are present (Art. 35(7)(c)(d)) | Run **check_ropa_article30_coverage** on the ROPA or DPIA document after drafting or updating to ensure completeness. --- Back to [Skill Library](https://rakenne.app/skills/index.md)