Glossary term
Glossary term
Governance and Compliance
A privacy governance record describing personal-data processing activities, purposes, categories, recipients, transfers, retention, and safeguards. AI use cases should update the ROPA when personal data is processed including for shadow AI, embedded vendor AI, and GenAI logging.
GDPR Article 30 requires controllers and processors to maintain a ROPA, with limited exemptions for organizations under 250 employees.
OneTrust, TrustArc, and Privado AI provide ROPA management modules used to track AI-related processing activities.
The EDPB Guidelines 02/2024 on processors include guidance on ROPA updates when introducing new AI processing.