Document new processing before it becomes operational.

Use this page when a Northstar team starts or changes a process that uses personal data. The goal is to capture purpose, responsibility, data categories, systems, recipients, retention, transfers and controls in a structured RoPA record.

Create new processing activity Open existing records

RoPA intake Clear guidance for HR, Sales, Marketing, IT, Operations and Legal.

1. Describe the activity

Name the process, explain the business purpose and identify the responsible business unit.

2. Classify the data

Select data subjects, data categories, systems, recipients, transfer locations and retention rules.

3. Review risk and controls

Check risk indicators, security measures, DPIA triggers and required approvals.

When to use this page

A new tool or vendor will process personal data.
A department changes the purpose or data scope of an existing process.
Data is shared with a new recipient or transferred internationally.
A process begins to include AI, monitoring, profiling or sensitive data.

What the privacy team checks

The team checks that the RoPA record is complete enough to support accountability, privacy notices, retention, transfer documentation, DPIA screening and audit reporting.