runbookify
← All plans
Compliance, Quality & Risk / Data Privacy & DSAR (Subject Rights)

Records of Processing Activities (RoPA) Register: Your Article 30 Record, Built and Maintained

Collect processing activities from your department owners, let AI structure them into proper RoPA fields and flag the gaps, then have the privacy officer approve each record before it's published — and re-confirm it on schedule.

IntermediateA weekendBuilds onNext.jsSupabaseResend
What you'll build

A web tool where department owners submit their processing activities, AI structures each one into the required RoPA fields and flags missing legal basis, undefined retention, and cross-border transfers, the privacy officer reviews and approves each record, and the tool publishes the official RoPA, schedules periodic owner re-confirmation, and exports a regulator-friendly CSV.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.

Before you start

  • A Supabase account (free)
  • A Vercel account (free)
  • A Resend account (free)
  • Your list of departments / processing owners
  • Any existing processing inventory, questionnaire, or data map (CSV/Sheet) you already have
  • Claude Code or any AI coding agent

The problem this kills

If you're a DPO or privacy lead, your Records of Processing Activities live somewhere awful: a sprawling spreadsheet with forty tabs, a Word doc someone last touched in 2023, or a folder of half-finished questionnaires you chased department heads for and never quite got back. Every time a regulator, a customer's security team, or an auditor asks for your Article 30 record, you scramble to reconcile what's actually true against what's written down.

The hard part isn't the format — it's the maintenance. Activities change, vendors get swapped, a new tool starts collecting a new data category, and nobody tells you. Half your records are missing a legal basis, the retention column says "TBD," and you genuinely don't know which activities push personal data outside your region without a transfer safeguard. You don't need a six-figure GRC platform to fix this, and you don't need to be a developer.

What you'll build

A simple internal web tool. Department owners log in and submit their processing activities through a guided questionnaire (or you bulk-import the inventory you already have from a CSV or Sheet). For each activity, AI structures the answer into proper RoPA fields — purpose, data categories, categories of data subjects, legal basis, recipients, international transfers, retention period, and the systems and vendors involved — and flags the gaps: missing legal basis, undefined retention, and cross-border transfers that need a safeguard. The privacy officer opens a clean review queue, checks each record (especially legal basis and transfers), and clicks Approve. Only approved records go into the official published RoPA. The tool then schedules periodic re-confirmation so owners re-attest their activities on a cadence, and exports the whole register as a regulator-friendly CSV.

What's inside the Implementation Plan

The downloadable plan is a step-by-step file you paste into an AI coding agent. It opens by interviewing you about your organization — how you collect processing activities today, who your department owners are, which systems and vendors map to which activities, the exact field names and wording your jurisdiction expects (GDPR Article 30, UK GDPR, or another regime), your legal-basis vocabulary, your transfer mechanisms, your re-confirmation cadence, and your messy edge cases — and then it tailors the data model, the gap checks, and every later step to your answers. This is not a generic template; the agent reflects a short spec back to you and waits for your thumbs-up before it builds anything. From there it walks the agent through the owner questionnaire, the AI structuring-and-gap-flagging logic, the privacy-officer review-and-approve queue, the publish step, the periodic re-confirmation scheduler, and the regulator-friendly export — each step with a ready-to-copy prompt. There's also a fallback so you can build and run the whole thing today with just spreadsheets in and a clean CSV out.

The governance it includes (this is the point)

This is a compliance artifact, so it ships with the controls a privacy function needs: login so only your team and your activity owners can use it, row-level security so each organization (and, if you want, each department) only sees its own records, a complete audit trail of who submitted, edited, approved, and re-confirmed each activity and when, a hard human-approval gate so nothing enters the official RoPA until the privacy officer signs off — with special attention to legal basis and international transfers — and duplicate guards keyed on a stable activity ID so the same activity can't be recorded twice. Missing legal basis, undefined retention, and unguarded cross-border transfers are flagged and block approval instead of quietly slipping into your register.

Who it's for

DPOs, privacy officers, and compliance leads who have to maintain a living processing inventory and are tired of herding spreadsheets and chasing department owners by email. If you can describe what an Article 30 record needs to contain and who owns each activity, you can build this.

You've got this — start with the plan, paste the first prompt, answer the interview, and you'll watch your first structured, gap-flagged RoPA records take shape the same afternoon.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.