ROPA stands for Record of Processing Activities.
Article 30 of the GDPR requires you to maintain a record of processing activities.
You will be required to produce this, if requested by the supervisory authority, e.g. the Information Commissioner’s Office (ICO) in the UK; the Data Protection Commission (DPC) in Ireland.
The ROPA must include a comprehensive overview of processing activities you undertake. The ROPA lists every single processing activity, describing the exact usage of the data, the technical and organisational measures that have been put in place for the protection of the data. It shows who is affected by data processing, the recipient of data processed and any other data processors. The ROPA should also include a risk analysis.
A ROPA demonstrates your organisation’s GDPR compliance and so it is essential that it is well-managed and organised.