Records of Processing Activities

Harbor cooperation between DPO, Legal Services, IT and Marketing, divide their responsibilities and conquer GDPR! Enable your team to work together towards compliance, minimize the risks and maximize your efficiency!


Keeping a compliant Records of Processing Activities imposes a serious set of challenges that leave companies disheartened, overwhelmed and oftentimes delaying the project waiting for the proper solution.

The main organizational challenge is the lack of cooperation between Data Protection Officer, Legal Services, IT, HR and Marketing, which is understandable given the complexity of the project and the variety of functions and departments involved.

However, without cooperation, there is no division of responsibilities between departments, which means a DPO should possess both technical expertise in order to implement compliance policies and understanding of the data protection laws.

The reality is that the DPO is usually an IT professional or legal expert, not both. Even if there would be a DPO who embodied both expertise, it is almost impossible for one person to have continuous insight into the regulatory segment and the data segment of all the business processes of the company, and the larger the scale the more impossible it gets.

The next challenge is of a technical nature and it is related to the technical execution of keeping the Records of Processing Activities.

The Records represent one of the main compliance pillars, giving the company an overview of procedures and significant information about data processing. Still, the record is usually kept in Excel, which does not offer collaboration function and a DPO cannot track changes made in the document.

Moreover, it is impossible to administer other applicable laws or define data retention policies for each data category, because Excel does not allow you to execute those policies directly onto the appropriate data sets.

These challenges do not allow the company to move forward with the compliance project. If there is no division of responsibility between DPO and other organizational units, the DPO will face the impossible challenge of overseeing all companies’ processes.

On the other hand, if the company has recognized the importance of decentralized data privacy management model and there is a collaboration between departments but there is no proper tool for managing the processes, the DPO will be left without an overview of all processing activities and unable to track changes made by other departments.


Data Privacy Manager facilitates collaboration between DPO, Legal service, IT, HR and Marketing, allowing them to create clearly defined responsibilities that are realistic and consistent with the competencies of each organizational unit.

Division of responsibilities means that a DPO has a continuous insight into the legal, regulatory segment and the data segment of all business processes of the company, advising Marketing and HR during the compliance process, while IT is resolved from in-depth understanding of data protection law and focused on the implementation of the policies.

Data Protection Officer has access to all processing activities and their changes, while other roles can create, edit and (de)activate processing activities. Each processing activity has its owner which indicates who is responsible for updating information related to processing. These functionalities of Data Privacy Manager make the Excel obsolete.

Decentralized data privacy management model seals the DPO as a supervisory and advisory role, while IT, Marketing, HR and other departments take responsibility for their part of the compliance process.

This makes automatization of entire personal data lifecycle possible, which is the only way to be truly compliant considering the amount of data that is being processed, the number of IT systems that process data, and represents the bases for automatization of all further compliance processes.



Facilitates cooperation between DPO, Legal service, IT and Marketing, allowing them to divide their responsibilities, making IT possible for each organizational unit to create clearly defined responsibilities


DPO has access to all processing activities and their changes, while other roles can create, edit and (de)activate processing activities. Each processing activity has its owner in Data Privacy Manager


Data Privacy Manager takes into account different business processes of the company and IT systems where data are processed, creating and propagating the archiving schedule and the data destruction policy with the technical data location information.

Personal Data Lifecycle

Interaction with Data Subjects
  • Contract
  • Consent
Lawfull Processing
Everyday Business
  • Data monetization
  • Services delivery
  • Marketing
Lawful Basis Expiration
  • Contract Expiration
  • RTBF
  • Opt-out
Data Destruction
  • Anonymization
  • Deletion

Business Process
(Original Purposes)

Data Retention
(Purpose change)

No Purpose

Learn how this solution helps your industry

General Data Protection Regulation (GDPR) requires that Organizations processing personal data (Data Controllers and Data Processors) maintain a register of processing activities. According to Article 6 there can be 6 possible lawful basis for personal data processing, and for Organizations to be able to declare a lawful basis for a specific processing activity an assessment needs to be done…

Would you like to continue reading? 

Get the E-book
“We have approached the process of GDPR compliance very seriously and methodically, and we wanted to have a software that will allow us to manage GDPR processes from one central point, which we managed to accomplish with Data Privacy Manager.”

Nikola Murk, Head of IT operations & infrastructure

Data Privacy Manager is available in flexible pricing options for your growing business needs