AI for DPO: Record of Processing Activities Fill Case Study
- AI, Artificial Intelligence, GDPR, RoPA
- 20/05/2025
The record of processing activities, known as RoPA, is mandatory under Article 30 GDPR. This register provides documented evidence of all processes where personal data is used in organisation. This is usually the first task that most Data Protection Inspectors (DPOs) have to complete. This article discusses how to create this document using AI technologies.
Main Problems in Filling the RoPA
DPOs face many challenges when developing a personal data registry. These challenges emerge when you develop amd maintain RoPA.
The most difficult task in the first six months of data protection implementation is to gather initial information about all business processes that use personal data.
In particular, we need to list the purposes of data processing activities, categories of personal data, specify all processors, controllers and information systems, categories of data subjects, etc. However, often the employees to whom we ask about the data processing processes they conduct will answer us incompletely or in a generalised way. This occurs due to several factors:
● firstly, they struggle to clearly define processing objectives;
● secondly, they lack the knowledge to understand our question, for example, they do not know what personal data is;
● thirdly, they may simply not have time for your task due to heavy workloads, pressing deadlines and the low priority of compliance in their eyes by their line management.
At Data Privacy Office Europe, we have tried to solve this documentation challenge by offering our clients a catalogue of over 400 targets. We integrated this catalogue into Notion’s own RoPA template and started providing it to clients and attendees of our Global Data Privacy Manager and AI Tools for DPO courses. This allowed the client to select the objectives that were present in their business processes. This partially solved the problem of collecting information about the goals, but created a new one: the wording of the goals remains too short and people can interpret them in different ways. In addition, filling in the other fields (data categories, data recipients, subject categories, processing times, subject categories) remains a challenge. This information could be provided by the specialist or department responsible for the business process, but they are hard to find. As a result, the fields with data categories are left blank.
We must also list all data recipients (processors, co-controllers, third parties) or their categories. Data processors are often the cloud platforms on which we store or otherwise process personal information.This is where Data Protection Officers (DPOs) face another challenge: as non-experts in the business process, we often have no idea about the typical cloud platforms used by our marketers, engineers or HR specialists, nor can we find the right words to formulate leading questions. Therefore, it would be helpful for us to understand from the outset what this type of system is called. Knowing the type, we will be able to ask a leading question during employee interviews, ‘Do we use cloud-based [type of info system].’
For example, we can ask a web developer: “Do we use a cloud-based CMS or a website builder like Tilda?”’ and we are likely to get a specific answer because the webmaster knows what a CMS (Content Management System) is, much less understands which one he works with most of his time.
Another task is to choose the right legal bases for the jurisdiction. To choose a lawful basis in the EU, you need to have an understanding of the risks that processing entails for data subjects, and to do this, you need to understand the stages of processing, and be aware of the most common privacy violations in this business process.After all, the choice between legitimate interest and consent is a question of balancing business interests on the one hand and the rights and interests of the data subject on the other. And the interests of data subjects are higher the higher the level of risks emanating from a particular processing.
AI-solution for Record of Processing Activities
As you probably already guessed from the name, LLMs (large language models) will help us with all of this.We have developed the following prompt:
Act as an experienced expert in the following business process: [Process]
You’ve just got the request from Data Protection officer who needs to gain a general understanding about this process. DPO is going to extract information from the text that you will provide. DPO will include this information in the Register of Processing Activities (RoPA) in accordance with Article 30 of the General Data Protection Regulation. Please, write a description of the process with the following chapters about the points listed below.
Points
— General description of the business process: Explain what this process is about and why companies need it.
— The stages (steps) of this process: Describe the typical stages of this process.
— Personal data used in the process and its purpose: List all possible types/categories of personal data that are usually used in such a process. What each of them is used for (purpose)? Your output should be in table with columns for category of personal data and purpose.
— How long does it usually take for the process to complete?
— List types of data processors (incl. cloud services) with a few examples for each of the types/categories.
— Company departments involved in the process: List the departments or functions that are usually involved in this process with explanation in what way they are usually involved in the process.
— Privacy risks and known violations of the GDPR related to the processing: List and describe possible privacy risks for rights and freedoms of data subjects (not the company). To illustrate the risks, add information about real court cases, data protection supervisory authority decisions or complaints regarding this process.
— Fines and other regulatory actions: List all cases when data protection regulators investigated a company in connection with this process. Provide information on fines and sanctions and links to these decisions.
Output should be in Markdown since it will be pasted into Notion.so page
Output all lists in your output as a table. Make sure that you add columns for any additional parameters related to the items.
All points must be separate paragraphs with h2 headings.
It consists of the following components: Persona (marked in green), Context (yellow), Instruction (pink) and Format (blue).
You can read more about the Prompt elements and learn how to use them at the special training AI Tools for DPO, but in brief, ‘Instruction’ tells us what to do, ‘Context’ in a given query cuts off irrelevant information and allows us to narrow down the answer to what is needed, ‘Person’ influences the tone and terminology chosen, ‘Format’ facilitates further processing of the answer.
Want to test AI in your DPO work right now?
We’ve prepared a collection of ready-to-use prompts — tailored for DPO tasks: from drafting RoPA to analyzing privacy notices and DPIA templates.
As an example, here is an answer that ChatGPT produced using not even the most advanced model (GPT-3.5). Below are the screenshots:
Thus, Data Protection Officer will get in a couple of clicks:
- a Business Process Description that will help you and your colleagues to better navigate the RoPA Processing Registry. In our example: The marketing email process involves the creation, distribution, and tracking of promotional or informational emails sent by companies to current or prospective customers…
- Options for formulating objectives. In the example: … to communicate offers, updates, and news to their target audience, aiming to build brand awareness, drive sales, and foster customer relationships.
- process steps, which may contain hints about the presence of additional processing, data categories, and processors. In the example: Recipient Segmentation: Categorizing recipients based on demographics or behaviours. Email Distribution: Sending emails through designated platforms. Monitoring and Analysis: Tracking open rates, click-through rates, and other engagement metrics…
- Data categories with mapping to processing purposes.
For example:
Category of Personal Data | Purpose |
|---|---|
Email addresses | Delivery of marketing materials and communication |
Names | Personalization of emails |
Demographic information (age, gender, location) | Targeted segmentation and content customization |
Purchase history | Tailored offers based on past behavior |
Interaction history (clicks, opens) | Campaign performance analysis and optimization |
5. A hint for possible processing times. Unfortunately, due to the limited base on which the LLM was trained, the prompt rarely gives a quality result (in our example it did), but you should not give up the chance to get a hint. If you modify this part of the prompt by adding the question How long does the categories of personal data mentioned in your output are kept for the purposes of this process?, the answer may be better:
- The time to complete a marketing email campaign can range from a few days to several weeks, depending on campaign complexity. Personal data, such as email addresses and interaction history, is typically retained for the duration of the campaign and may be kept for a longer period for analysis or future marketing efforts.
6. Types of data processors and examples.
AI answer for the example above:
Type of Data Processor | Examples |
|---|---|
Email Service Providers | Mailchimp, SendGrid |
Customer Relationship Management (CRM) Systems | Salesforce, HubSpot |
Analytics Platforms | Google Analytics, Adobe Analytics |
Cloud Storage Services | Google Drive, Dropbox |
7. Understanding which department or division to contact for information about this processing of personal data for the RoPA and who is likely to be the owner of this processing (business process) responsible for data minimisation, purpose limitation, timely erasure and implementation of other data processing principles.
For the above example:
● Marketing: Leads campaign planning and content creation.
● IT/Operations: Manages email distribution platforms and data integration.
● Legal/Compliance: Ensures email communications adhere to data protection regulations.
● Sales/Customer Service: Collaborates on campaign strategy and leverages customer data.
8. A compilation (albeit incomplete) of privacy risks is a good starting point for a Legitimate Interest Assessment (LIA) or a Privacy Impact Assessment (DPIA).
Example:
- Unsolicited Emails: Sending emails without proper consent can breach GDPR (e.g., Planet49 case in Germany).
- Data Breaches: Mishandled emails without proper consent can breach GDPR.
- Data Breaches: Mishandling of personal data leading to unauthorised access (e.g., British Airways’ GDPR fine for a data breach).
Lack of Consent Management: Inadequate opt-in/opt-out processes (e.g., Vodafone Spain’s GDPR fine for spam email practices).
9. Examples of penalties. AI produces an incomplete list and is often wrong, but it can produce very relevant cases that DPOs can use to persuade businesses to move to more ethical and secure practices.
A sample response to our prompt:
Several companies have faced regulatory scrutiny related to marketing email processes:
- British Airways: Fined £20 million for failing to protect personal and financial data in a cyber-attack.
- Vodafone Spain: Fined €75,000 for sending unsolicited marketing communications.
- For detailed information on fines and decisions, refer to British Airways Fine and Vodafone Spain
Limitations of this method
This method, while effective, cannot be used as the only step in the process of populating RoPA with information about data processing. In practice, the list of data categories, processing purposes and associated risks is much broader than what artificial intelligence can produce. Business process owners must not only verify but also complete the processing cards to ensure that the information is complete and accurate. It is also important to consider such aspect as hallucinations that may occur when using artificial intelligence.
Conclusion
In summary, the RoPA (Register of Personal Data Processors) is a mandatory document required under Article 30 of the GDPR. The main challenges in completing it are related to defining the purposes of data processing, categories of data, processors and information systems, categories of data subjects, etc. The use of large language models (LLMs) can help solve these problems by providing a detailed description of the business process, including process steps, personal data used and their purposes, process timelines, types of data processors and examples, company departments involved in the process, privacy risks and GDPR violations associated with processing, as well as fines and other regulatory actions.
Everything you've read above can be repeated — and customized to suit your needs.
The AI Tools for DPO course will provide you with templates, practice, and tools that make AI truly time-saving. No extras. Only what works.
Contact us
Fill in the form and we will contact you as soon as possible!
