RiskWatch
GDPR · ROPA as a living document

GDPR compliance, a living ROPA not a spreadsheet.

EU DPAs issued €1.2B in fines in 2024. The processing chain changes weekly; your spreadsheet ROPA stopped reflecting reality six months ago. Living ROPA with field-level change history, DPIAs that auto-trigger on threshold processing, and DSAR fulfillment that hits the 30-day clock without a fire drill.

  • All 99 GDPR articles · 11 chapters · 173 recitals
  • Living Article 30 ROPA · field-level change history
  • EDPB-aligned Article 35 DPIA threshold engine
  • DSAR 30-day clock · 72-hour breach playbook
Start 30-day free trialWatch 4-min platform tour
No credit card · GDPR + UK GDPR libraries ship day 1
Article 30 ROPA · live record
Living document. Field-level change history. Source-linked.
ROPA-247-B
Customer support — chat transcripts + screen recordings
Live
Controller
Acme EU SAS
Retention
24 months · pseudonymized at 12
Recipients · processors
Zendesk · processorGong · processorFullStory · processor
Chapter V transfers
USA — SCC + supplementary measures
Field-level change history
Q4 2026·Product launch trigger
Added FullStory as recipient (session replay)
DPIA re-triggered · Schrems II TIA refreshed
Q3 2026·DPO field update
Retention shortened: 36mo → 24mo (12mo pseudonym)
Article 5(1)(e) storage limitation aligned
Q3 2026·Vendor onboarding
Gong added as sub-processor of Zendesk
Sub-processor cascade · DPA chain updated
Q2 2026·Article 30 baseline
Record created from product catalog import
Initial controller record per Art. 30(1)
Updated daily · supervisory-authority readySpreadsheets can't do this.
What it is

What is GDPR compliance software?

Article 30 doesn’t say “maintain a snapshot” — it says reflect the most up-to-date information. Living ROPA captures every change at the field level, ties each to its source event (product launch, vendor change, retention review), and triggers DPIAs automatically when EDPB threshold criteria hit two of nine. The Article 33 72-hour breach clock runs in the background. DSAR fulfillment lands inside 30 days, every time. Aligned to the full text of the GDPR — all 99 articles, EDPB WP248 methodology, UK GDPR variants.

Why teams move to RiskWatch

Your ROPA is a spreadsheet. The processing chain changes weekly.

The DPO challenge isn't the breach playbook (which is well-documented). It's the slow erosion of accountability data: every product launch adds processing the ROPA doesn't reflect, every vendor change touches Article 28 obligations the spreadsheet can't track. Here's where it actually breaks.

Pain #1

Your ROPA is a spreadsheet. It stopped reflecting reality six months ago.

Article 30 requires the ROPA to reflect the most up-to-date information — and the heterogeneous, dynamic nature of accountability data is the #1 sustainability problem privacy teams cite. Living ROPA with field-level change history, integration with product catalogs and vendor inventories, and auto-flagging when downstream changes invalidate a record.

Pain #2

Asked product about new processing. Got vague answers. Wrote it down anyway.

The 6-month DPO information-gathering pain: business units answer ROPA questionnaires generically, the DPO writes what they got. The audit trail looks complete; the ROPA isn't. Structured intake forms tied to product launches, contract changes, and vendor onboarding — processing records are filled at the source, not retrofitted at quarter-end.

Pain #3

GDPR + UK GDPR + CCPA + LGPD. Same data. One DPO.

EU DPAs issued €1.2B in fines in 2024. Privacy programs have expanded because of AI, cross-jurisdiction enforcement is up, and one DPO is running 4+ regimes. Score one processing activity against GDPR + UK GDPR + CCPA + LGPD + ISO 27701 simultaneously. Same ROPA, multiple lawful-basis evaluations, multiple DSAR rights workflows.

Article 35 · DPIA

Stop guessing whether processing needs a DPIA.

Article 35 mandates a DPIA when processing is “likely to result in a high risk” to data subjects. The EDPB WP248 guidelines turn that vague standard into a 9-criteria test: 2+ hits = DPIA required. Most teams either over-DPIA every project or under-DPIA the high-risk ones. The threshold engine runs the test on every ROPA record automatically.

  • 9-criteria EDPB testscoring, automated decisions, monitoring, sensitive data, scale, matching, vulnerable subjects, new tech, rights blocking
  • Auto-trigger2+ criteria hit = DPIA workflow opens, routed to DPO with the ROPA record pre-populated
  • Residual-risk worksheetEDPB-aligned methodology, mitigation matrix, supervisory-authority consultation flag if residual is high
  • DPO sign-off pathapproval routing with attestation; DPIA decisions linked to the source ROPA record forever
Article 35 · DPIA threshold engine
EDPB 9-criteria test. Two hits = DPIA required.
Evaluating: ROPA-247-B · customer support transcripts + screen recordings
C1Evaluation or scoring
incl. profiling, predictive analytics
Hit
C2Automated decision with legal/significant effect
Article 22 territory
Clear
C3Systematic monitoring
incl. public-area surveillance, employee monitoring
Hit
C4Sensitive data or highly personal
Art. 9 special categories, Art. 10 criminal
Clear
C5Data processed on a large scale
by volume, range, duration, geographic scope
Hit
C6Matching or combining datasets
from different processing operations
Clear
C7Data concerning vulnerable subjects
children, employees, asylum seekers, patients
Clear
C8Innovative use or new technology
AI/ML, biometrics, IoT at scale
Hit
C9Prevents subject from exercising rights
or accessing a service or contract
Clear
4 of 9 criteria hit · threshold ≥ 2
DPIA required · auto-routed to DPO
EDPB WP248 rev.01 methodologyNo more judgment-call DPIAs.
Article 30 ROPA · live record
Living document. Field-level change history. Source-linked.
ROPA-247-B
Customer support — chat transcripts + screen recordings
Live
Controller
Acme EU SAS
Retention
24 months · pseudonymized at 12
Recipients · processors
Zendesk · processorGong · processorFullStory · processor
Chapter V transfers
USA — SCC + supplementary measures
Field-level change history
Q4 2026·Product launch trigger
Added FullStory as recipient (session replay)
DPIA re-triggered · Schrems II TIA refreshed
Q3 2026·DPO field update
Retention shortened: 36mo → 24mo (12mo pseudonym)
Article 5(1)(e) storage limitation aligned
Q3 2026·Vendor onboarding
Gong added as sub-processor of Zendesk
Sub-processor cascade · DPA chain updated
Q2 2026·Article 30 baseline
Record created from product catalog import
Initial controller record per Art. 30(1)
Updated daily · supervisory-authority readySpreadsheets can't do this.
Article 30 · ROPA

Spreadsheets capture a moment. The ROPA is supposed to be live.

Article 30 doesn't say “maintain a snapshot” — it says reflect the most up-to-date information. The processing chain changes every week. Living ROPA captures every change at the field level, ties each change to its source event (product launch, vendor change, retention review), and notifies downstream owners — DPIAs, DPAs, lawful-basis records — when their inputs move.

When the supervisory authority asks for “the ROPA as of the date of this complaint,” the answer is two clicks — not a forensic excavation across three Excel files and an email thread.

See the living ROPA on real data
The ROPA used to live in three Excel files. Now it's a living document the supervisory authority can drill into.
ML
Marie L.
DPO · Multinational SaaS · 4,400 employees · EU-wide
ROPA freshness
Daily
↓ from quarterly
DSAR turnaround
↓ 60%
with 30-day clock
Time-to-deploy
5 weeks
first cycle
GDPR Pack · 36 pages
GDPR Compliance
99-Article + ROPA + DPIA Pack
PDF · 36 pages · DPO-ready

GDPR 99-Article Checklist + ROPA + DPIA Pack

Thirty-six pages walking through all 99 GDPR articles with EDPB-aligned implementation guidance, the Article 30 ROPA template (controller and processor versions), and the EDPB-aligned Article 35 DPIA threshold worksheet.

  • All 99 articles + 173 recitals
  • Article 30 ROPA template (controller + processor)
  • EDPB Article 35 DPIA threshold worksheet
  • Schrems II Transfer Impact Assessment template
Get the pack

Looking for GDPR ↔ UK GDPR ↔ CCPA ↔ LGPD crosswalk or the platform buyer's guide? Find them on the compliance frameworks hub.

FAQ

Common questions, answered up front.

About GDPR compliance, ROPA, DPIAs, DSARs, the 72-hour breach clock, and how RiskWatch covers all of them.

What is GDPR compliance software?
GDPR compliance software is a platform that helps controllers, processors, and Data Protection Officers (DPOs) operate the privacy program continuously — not as a one-time documentation project. EU DPAs issued €1.2B in GDPR fines in 2024, and 90% of organizations report their privacy programs have expanded because of AI. The 2026 buyer expectation has shifted to automation-first platforms with continuous control monitoring. RiskWatch covers all 99 GDPR articles, a living ROPA with field-level change history, Article 35 DPIA workflows that auto-trigger on threshold processing, Article 33 72-hour breach playbook, DSAR fulfillment on the 30-day clock, and cross-mapping to UK GDPR + CCPA + LGPD + PIPEDA + ISO 27701 (available on the compliance-frameworks hub).
What is a ROPA and why does Article 30 matter?
A Record of Processing Activities (ROPA) is the documented inventory of every processing activity in your organization — categories of personal data, purposes, recipients, retention periods, transfers outside the EEA, and security measures. Article 30(1) applies to controllers; Article 30(2) applies to processors. Both are required to be 'in writing, including in electronic form.' Supervisory authorities ask for the ROPA first when investigating any complaint or breach. RiskWatch maintains the ROPA as a living document with field-level change history, auto-linked to DPIAs, processor agreements, and lawful bases — so the ROPA stays current as products launch, vendors onboard, and data flows change.
How does the DPIA threshold engine work?
Article 35 requires a Data Protection Impact Assessment when processing is 'likely to result in a high risk' to data subjects. The European Data Protection Board's WP248 guidelines list 9 criteria — if a processing activity meets two or more, a DPIA is mandatory. Examples include systematic large-scale evaluation of personal aspects, processing special categories at scale, systematic monitoring of public areas, processing of children's data, and use of new technologies. RiskWatch's DPIA threshold engine runs the 9-criteria test against every ROPA record, auto-triggers a DPIA when 2+ criteria hit, walks through the EDPB-aligned methodology, and routes residual-risk findings to the DPO for sign-off.
How does the 72-hour breach clock work?
Article 33(1) requires the controller to notify the supervisory authority of a personal data breach within 72 hours of becoming aware. 'Aware' is interpreted strictly — supervisory authorities expect notification when there is reasonable certainty that a breach occurred, not after full forensic investigation. RiskWatch's breach playbook timestamps the awareness moment, walks through the four-factor risk assessment (likelihood, severity, identifiability, special categories), produces the supervisory-authority notification template with all Article 33(3) required information, and tracks individual notification under Article 34 if the risk is high. The full audit trail is captured for the supervisory authority's follow-up.
How does DSAR fulfillment work?
Articles 15–22 give data subjects rights including access (Art. 15), rectification (Art. 16), erasure / right to be forgotten (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21). Each request must be fulfilled within one month of receipt (extendable to three months for complex requests). RiskWatch's DSAR workflow tracks the clock per request, queues identification (matching the subject to records across your data systems), captures evidence of fulfillment, produces the response package, and logs the audit trail for supervisory review. Subject identification is the typical bottleneck — RiskWatch integrates with your data systems to surface relevant records automatically.
Does the platform support GDPR + UK GDPR + CCPA + LGPD simultaneously?
Yes — but cross-framework mapping lives on the /compliance-frameworks/ hub rather than on this page. RiskWatch maps every GDPR article to its counterpart in UK GDPR, CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act, and ISO 27701 — so a single processing record is evaluated against all applicable laws automatically. Privacy programs running 4+ regimes typically reduce duplication by 60–70%. See the hub page for the full crosswalk.
Is there a free trial?
Yes. The 30-day free trial requires no credit card and includes full access — every GDPR article, the living ROPA, DPIA workflows, DSAR queue, breach playbook, lawful-basis tracker, and cross-framework mapping. You can run a real GDPR readiness assessment against your own organization and decide before purchasing.
Ready to make your ROPA living?

Build your Article 30 ROPA this week.

Start a 30-day free trial — every article, the living ROPA, DPIA threshold engine, DSAR queue, the 72-hour breach playbook. No credit card required.

Start free trialBook a demo

No credit card required · 30-day free trial · Cancel anytime