The essentials in 30 seconds
- The RoPA inventories every activity in which you process personal data.
- It is the starting point of compliance: without it you cannot assign lawful bases or assess risks.
- It is a core piece of accountability and one of the first things an audit requests.
- At a minimum, it must have 9 columns (you'll see them below).
- The hard part is not creating it, but keeping it alive: someone must update it when a process changes.
If you could only do one thing to start complying with Law 21.719, it would be this: knowing what data you process. You cannot protect —or declare to the Agency— what you don't know you have. That inventory, kept orderly and current, is the Records of Processing Activities (RoPA). It is part of the compliance checklist (front no. 2) and is the foundation everything else rests on.
What the RoPA is
The Records of Processing Activities is the document that lists, one by one, the activities in which your organization processes personal data —from the employee payroll to the website contact form— and describes, for each one, what data it involves, for what, on which lawful basis, with whom it is shared and how it is protected. It is, in practice, the map of your data.
Is the RoPA mandatory?
Keeping records of processing activities is a core piece of the accountability that Law 21.719 requires: the principle that complying is not enough — you must be able to prove it. Maintaining a current RoPA is how you demonstrate to the Agency what data you process and under what conditions — and it is usually one of the first documents requested in an audit. In other words: even if you don't think of it as “a mandatory formality,” without a RoPA there is no demonstrable compliance.
Which columns it must have (field template)
A useful RoPA has, at a minimum, these columns. You can start with a spreadsheet using this structure:
| Field | What to record |
|---|---|
| Activity / process | Name of the processing activity (e.g. “Payroll management,” “Email marketing”). |
| Purpose | What the data is used for in that activity. |
| Data categories | Identification, contact, financial, health, biometric… and whether there is sensitive data. |
| Categories of data subjects | Customers, employees, applicants, suppliers, website users. |
| Lawful basis | What enables the processing (consent, contract, legal obligation, etc.). |
| Recipients / processors | Who accesses it: internal areas and third parties (vendors, cloud). |
| International transfers | Whether the data leaves Chile and under what guarantee. |
| Retention period | How long it is kept and when it is deleted. |
| Security measures | Controls applied (access, encryption, pseudonymization). |
How to build it step by step
- Identify the areas that process data: HR, sales, marketing, finance, support, IT. Interview each one.
- List the activities of each area (one row per activity). Don't aim for perfection: aim for coverage.
- Complete the 9 columns for each activity. Where you don't know the lawful basis, flag it as pending and resolve it later.
- Flag sensitive data and international transfers: they carry the highest risk and demand the most attention.
- Detect the gaps: processing without a basis, without a retention period or with third parties lacking a contract (DPA). That is your remediation list.
- Assign an owner to maintain the RoPA and a review frequency.
Common mistakes
- Doing it once and filing it away. An outdated RoPA is almost as bad as not having one.
- Forgetting the “invisible” processing activities: security cameras, website cookies, spreadsheets on personal computers, old forms.
- Confusing purpose with lawful basis. The purpose is the “what for”; the basis is the “what legally allows it.”
- Not recording the processors (vendors that process data on your behalf): they remain your responsibility.
How to keep it alive
The RoPA is not a one-time deliverable: every time a process is created, a vendor is hired or a campaign is launched, it should be updated. The healthiest approach is to embed it into operations —so that opening a new processing activity includes “update the RoPA” as a step— and to review it periodically. In organizations with many processing activities, a specialized tool helps sustain traceability and generate evidence for the Agency.
Want your RoPA built and gap-free?
We help you build the Records of Processing Activities and close the gaps it reveals. Start with a 30-minute assessment, no commitment.
Request assessmentFrequently asked questions
What are the Records of Processing Activities (RoPA)?
It is the document that inventories every activity in which the organization processes personal data: what data, for what purpose, on which lawful basis, with whom it is shared and with what security measures. It is the foundation on which the entire Law 21.719 compliance program rests.
Is the RoPA mandatory?
Keeping records of processing activities is a core piece of the accountability the law requires. Keeping it current is how you demonstrate to the Agency what data you process and under what conditions, and it is usually one of the first documents requested in an audit.
Which columns must a RoPA have?
At a minimum: activity or process, purpose, data categories, categories of data subjects, lawful basis, recipients and processors, international transfers, retention period and security measures.
Can the RoPA be built in an Excel spreadsheet?
Yes, a spreadsheet works to get started and for small organizations. The challenge is not the format but keeping it alive: it must be updated when a process changes. In organizations with many processing activities, a specialized tool makes traceability and evidence easier.