The Record of Processing Activities derives from your data flow inventory and exports in three formats — GDPR Article 30, CCPA/CPRA, and a framework-agnostic global schema. The same flow inventory feeds all three; the operator picks the format. No more rebuilding the RoPA each year for the regulator.
Most organisations operating across jurisdictions maintain multiple parallel data inventories — one for the GDPR Article 30 obligation, one for CCPA/CPRA disclosure, and a third for whatever internal governance spreadsheet the privacy team trusts. Three inventories. Three drift surfaces. Three failure modes.
Verisq runs one inventory. The same data flow catalogue feeds all three exports. When the inventory updates, all three exports stay current automatically. When a regulator asks for the GDPR Article 30 RoPA today and the CCPA disclosure tomorrow, the answers are derived from the same source of truth on the same day.
Inbound, outbound, and internal data flows derive automatically from three signals:
Every auto-derived flow carries a confidence score and a deriver-source signature. Any RoPA row traces back to its origin in seconds — to the vendor row, the SaaS connector, or the schema-similarity event that produced it. Operators can confirm, edit, or disable any auto-derivation; every action lands in the audit log.
Flows activate immediately when derived — your RoPA populates on day one, not after a multi-week backlog review. The audit log captures every auto-derivation, every operator edit, every disable, every re-enable. When the regulator asks why the RoPA shows what it shows, the answer reconstructs from the audit timeline.
GDPR Article 30 — purpose, categories of data subjects, categories of personal data, recipients, third-country transfers with safeguards, retention, security measures. Format compliant with EU regulator expectations.
CCPA / CPRA — categories of personal information collected, sources, business purposes, third parties shared with, sale/share status. Format compliant with California Attorney General disclosure requirements.
Framework-agnostic global — internal-governance format with the full attribute catalogue, the legal basis tagging, and the deriver provenance. Use as the source of truth from which any future regulatory format can be derived.
Every flow carries its GDPR Article 6(1) lawful basis — consent, contract, legal obligation, vital interests, public task, legitimate interest. CCPA-equivalent labels produce automatically through the export adapter. Consent withdrawal propagates: a withdrawn subject's flow becomes inactive immediately; downstream marketing-list exports suppress automatically.
RoPA Generation is an Enterprise capability. Available as part of the PrivacyOps module alongside data discovery, classification, and DSAR automation.