While mandated by the European General Data Protection Regulation (“GDPR”) since 2018, records of processing activities (“ROPAs”) are not a requirement for private sector entities in Canada. But that is beginning to change, after Québec’s data protection authority – the Commission d’accès à l’information (“CAI”) – published new guidelines (“Guidelines”) on January 30, 2026. While not creating any legal requirements, the Guidelines indicate that CAI will consider the existence of a ROPA in assessing compliance by entities under its jurisdiction.
A ROPA is essentially a mapping of an organization’s personal information processing activity. The compliance checklist accompanying the Guidelines includes the establishment of a ROPA to deal with “confidentiality incidents”, the term used in Québec’s Act respecting the protection of personal information in the private sector (“PPIPS”) to refer to the loss or unauthorized disclosure, use, or communication of “personal information” (defined as “information that directly or indirectly identifies a natural person”).
Why Your Business Should Consider a ROPA
Below are five reasons why Canadian businesses should consider keeping a ROPA:
Reason 1: Good data governance
ROPAs evidence good data governance. They provide a comprehensive overview of an organization’s personal information processing activity. The GDPR requires ROPAs to include different information depending upon whether the business is a “processor” or a “controller”. For example, article 30 of the GDPR requires that a controller ROPA include the following:
- The name and contact details of the controller and, where applicable, of the joint controller, the controller’s representative, and the data protection officer;
- The purposes of the processing;
- A description of the categories of data subjects and of the categories of personal information;
- The categories of recipients to whom the personal information has been or will be disclosed, including those located abroad;
- The safeguards to protect personal information that is communicated abroad;
- Where possible, the envisaged time limits for erasure of the different categories of personal information; and
- Where possible, a general description of the technical and organizational security measures.
The Québec Guidelines suggest that a ROPA contain the following
- The types of personal information collected;
- The amount of personal information collected;
- The ends for which the information is collected;
- Any analysis of the sensitivity of the personal information;
- The means used to collect the information;
- The category of people who have access to the personal information within the organization;
- How the information will be used and/or communicated;
- The jurisdiction in which the information will be stored;
- The conditions under which, and type of platform on which, the information will be stored; and
- The length of time the information will be stored.
Reason 2: Depending on where you do business, it may already be legally required
In some jurisdictions, a failure to keep a ROPA places an organization in breach of applicable data protection legislation. As stated above, this document is required by article 30 GDPR, with non-compliance punishable with a fine of up to 10 million euros or 2% of the organization’s annual worldwide turnover. As the GDPR has extraterritorial application, these fines could be levied against a Canadian business conducting business in Europe or targeting Europeans. A ROPA is also required by article 30 of the UK GDPR and, as noted, is now part of the checklist that the CAI issued to accompany its Guidelines. While Québec’s PPIPS does not specifically require a ROPA, a failure to adhere to the CAI Guideline will likely work against any organization in the event it suffers a confidentiality incident.
Reason 3: It’s a “must” for projects involving data analytics
No organization should start a project such as a data lake, or any other data-intense processing project, without a ROPA. A properly drafted ROPA will enable stakeholders to know where the data has been sourced, what measures (contractual, legislative, or other regulatory) govern its processing, and what additional measures may be required to compliantly carry out a project. All too often, organizations launch data projects only to realize that the intended purpose either cannot be fulfilled or cannot be fulfilled as expected because they do not have the appropriate rights to process the data in the way they had initially anticipated.
Reason 4: It facilitates DSAR responses and confidentiality incident notices
If an organization receives a data subject access request (“DSAR”) or is the object of a confidentiality incident a ROPA enables response teams to locate the necessary information quickly and meet response deadlines. In many jurisdictions, organizations have a month to respond to a data-subject access request. This deadline will seem short for response teams that must gather data from several systems across several jurisdictions. Likewise, for organizations operating in jurisdictions that have prescribed timelines in which individuals or data protection authorities must be notified of an incident, knowing exactly where the data is located and what legal duties - statutory or contractual - dictate notice requirements is essential to remain compliant with legal and contractual duties.
Reason 5: Model ROPAs are readily available
A number of data protection authorities have drafted model ROPAs. Links to some of the most accessible are below:
These models are good starting points for businesses as they consider the possibility of keeping a ROFA, in consultation with counsel.
Conclusion
While ROPAs may appear daunting, they are increasingly important to most businesses and essential to any business with projects involving large scale data processing. Additionally, regulators and data subjects are growing intolerant of businesses that cannot respond to inquiries within prescribed deadlines. Québec’s new Guidelines make ROPAs all the more important for many Canadian businesses. In brief, a business’ failure to compile and maintain a ROPA, even in jurisdictions that don’t require them, is an accident waiting to happen.
[View source.]
