DPO RESOURCE·DPO · Legal · Compliance·12 min read

DPDP ROPA Template

A practical Record of Processing Activities template structured for India's DPDP Act 2023 — with column-by-column guidance, three annotated sample rows, and a downloadable starter file.

What is a ROPA and why does DPDP require it?

A Record of Processing Activities (ROPA) is a structured inventory of every activity in which your organisation processes personal data — what data, for what purpose, on what legal basis, for how long, and with which third parties.

The DPDP Act 2023 does not use the term "ROPA" but the accountability obligations in the Act — particularly for Significant Data Fiduciaries (SDFs) — require precisely this. Under DPDP Rules 2025, SDFs must maintain documentation sufficient to demonstrate compliance with all obligations across each processing activity. Without a ROPA, an SDF cannot complete its Annual DPIA, cannot respond coherently to a Data Protection Board inquiry, and cannot demonstrate the lawful basis for processing to a Data Principal who requests access under §11.

Even non-SDF Data Fiduciaries benefit significantly from a ROPA: it drives DSAR responses, identifies DPIA triggers, and provides the documentation baseline for a Board investigation.

Every ROPA row represents one processing activity. These 13 columns provide full DPDP Act accountability coverage.

Processing Activity Name

Example: Customer onboarding — KYC

Clear, business-meaningful name for the processing activity

Purpose of Processing

Example: Verify customer identity for account opening as required under PMLA 2002

Specific purpose — not "business operations" or "regulatory compliance"

Lawful Basis (DPDP §6/§7)

Example: Legal obligation — Banking Regulation Act / PMLA

One of: Consent (§6), State function (§7a), Legal obligation (§7b–e), Vital interests (§7f)

Categories of Personal Data

Example: Name, address, PAN, Aadhaar (masked), photograph, financial profile

List every category — be specific about sensitive data types

Categories of Data Subjects

Example: Individual customers (retail banking)

Who the data relates to — customers, employees, children, visitors, etc.

Approximate Volume / Scale

Example: ~50,000 new records/month; ~2M total active

Order-of-magnitude — helps SDF threshold assessment and DPIA triggers

Retention Period

Example: 10 years post account closure (PMLA requirement)

Specific period with legal basis — not "as long as necessary"

Data Processors / Vendors

Example: CKYC Registry (CERSAI), Aadhaar API (UIDAI), third-party KYC vendor

All entities processing data on your behalf — include cloud and SaaS providers

Cross-Border Transfers

Example: No cross-border transfer — all processing within India

Destination country, transfer mechanism (contractual safeguards, pending negative list)

DPIA Required?

Example: No — standard processing under established legal obligation

Yes/No/Under review — DPIA mandatory for systematic/large-scale/sensitive/new tech processing

Security Measures

Example: Encrypted at rest (AES-256), TLS in transit, role-based access, MFA for admin access

Technical and organisational measures — reference security policy, not reproduce it

Process Owner

Example: Head of Retail Banking

The business function accountable for this processing activity

Last Review Date

Example: 2026-04-01

ROPA should be reviewed annually and on material change to the activity

📄

DPDP ROPA Template

13-column template · 3 sample rows · Opens in Excel or Google Sheets · No sign-up required

The file opens directly in Microsoft Excel or Google Sheets. Use File → Save As XLSX in Excel after opening to convert to native format.

After building your ROPA — next steps

Identify DPIA triggers

Review every row where the DPIA column is "Yes" or "Under review". Each triggers a DPIA. Prioritise by data sensitivity and volume.

Validate lawful bases

For each processing activity, confirm the lawful basis is valid under DPDP. Remove any activity relying on "legitimate interest" — it is not a valid DPDP basis.

Review consent activities

For every activity based on consent (§6), verify your consent notice meets the DPDP standard: specific, informed, free, and unambiguous.

Audit your processors

For every processor listed, verify a signed Data Processing Agreement is in place. For processors outside India, document the contractual safeguards pending the negative list.

Map to your privacy notice

Every category of personal data and purpose in your ROPA should be reflected in your public-facing privacy notice. Gaps mean your notice is incomplete.

Schedule annual review

Set a calendar reminder for annual ROPA review. For SDFs, this review feeds into the Annual Data Audit — ensure your Data Auditor receives a current ROPA.

Need help completing your ROPA? CreativeCyber's DPO advisory practice helps BFSI and regulated enterprises build, review, and maintain DPDP-compliant processing inventories.

Talk to our team →