Generate Your Processing Register from Your GDPRWise Dossier

Your dossier is your register

The record of processing activities (ROPA) is one of the most important documents under the GDPR. The supervisory authority can request it at any time, and you need it to demonstrate that you know which personal data you process and why.

The problem? Most business owners don’t know where to start. Which processing activities do I have? Which data belongs to each? What are the correct legal bases?

GDPRWise takes a different approach. Instead of asking you to build a register from scratch, you manage your GDPR dossier - customer processes, staff processes, and third parties - and GDPRWise assembles the register from that data. The register is an output of your dossier, not a separate exercise.

Where the data comes from

Your processing register draws from three sources within GDPRWise:

Customer dossier. Every business process you document that touches customer data becomes a line in your register. Your CRM, email marketing, order processing, contact forms, website analytics - each one is a processing activity with its purpose, legal basis, and data categories.

Staff dossier. Payroll, HR administration, sick leave tracking, performance reviews, access management - these are processing activities too, and they belong in your register. Many businesses forget this part entirely.

Third-party dossier. Every external service that processes personal data on your behalf is recorded as a recipient in the relevant processing activities. Your hosting provider, email tool, CRM platform, accountant - they all appear in the register as recipients of data.

The website scan contributes by detecting third parties, cookies, and trackers connected to your site. But the scan is a starting point, not the whole picture. The real completeness comes from managing your dossiers.

What the register contains

Each processing activity in your generated register includes the mandatory Article 30 fields:

• Purpose - why do you process this data? (e.g., “sending newsletters”)
• Legal basis - on what legal ground may you do this? (e.g., consent, legitimate interest, contract)
• Categories of personal data - which data do you process? (e.g., email address, name, IP address)
• Categories of data subjects - whose data is it? (e.g., customers, website visitors, employees)
• Recipients - with whom do you share the data? (e.g., Mailchimp, Google Analytics)
• Retention period - how long do you keep the data?
• Security measures - how do you protect the data?

All of this is drawn from what you have already documented in your dossiers. No duplicate data entry.

Generate and export

When you are ready, go to the GDPR documents screen and generate your processing register. The export is a professionally formatted PDF that you can present to the supervisory authority, an auditor, or share with your accountant.

The PDF always reflects the current state of your dossiers. Update a process, add a third party, or change a retention period in your dossier, then regenerate - and your register is current.

Keep it current

Your processing register is only valuable if it reflects reality. As your business changes - new tools, new processes, new staff activities - update your dossiers in GDPRWise and regenerate the register. Because the register is assembled from your dossiers, keeping it current is not a separate task. It is a natural result of maintaining your dossier.