Login (DCU Staff Only)
Login (DCU Staff Only)

DORAS | DCU Research Repository

Explore open access research and scholarly works from DCU

Advanced Search

ERoPA: A Machine-Readable Approach to the Record of Processing Activities (RoPA) for GDPR Compliance

Ryan, Paul orcid logoORCID: 0000-0003-0770-2737 (2025) ERoPA: A Machine-Readable Approach to the Record of Processing Activities (RoPA) for GDPR Compliance. PhD thesis, Dublin City University.

Abstract
The General Data Protection Regulation (GDPR) mandates that organisations keep a Record of Processing Activities (RoPA) and ensure compliance. The RoPA should include details on processing personal data from internal departments with diverse IT systems and external data processors. Current practices rely on spreadsheets or proprietary systems, which lack machine readability and interoperability, creating obstacles to automation. Regulators report that organisations face challenges in maintaining an accurate and up-to-date RoPA. This thesis defines an approach to supporting ‘Electronic Records of Processing Activities’ (ERoPA) to help organisations comply with the GDPR Accountability Principle. The “ERoPA Approach” facilitates the collection, representation, transfer, and review of information to support organisational GDPR compliance through the automation of RoPA processes based on stakeholder requirements. Using the Action Design Research (ADR) methodology, fourteen stakeholder requirements for the ERoPA Approach were identified. The ERoPA Approach was developed iteratively through ADR to provide: (i) an ontology to support the representation of RoPAs based on a survey of RoPA templates published by GDPR regulators, (ii) an interoperable machine-readable approach for the collection and transfer of RoPA information, and (iii) queries to support typical compliance tasks and (iv) deployment guidelines for practical implementations based on a case study in a real organisation where observations were gathered, and the opinions of data protection experts were consulted. The main contribution of this thesis is the ERoPA Approach, which enhances GDPR accountability by facilitating the collection, representation, transfer, and review of RoPA information exchanged among stakeholders in data processing chains. The ERoPA Approach enables sharing GDPR accountability information with regulators and certification bodies, significantly improving the visibility and efficiency of organisational accountability practices. Additionally, it provides tools to support GDPR compliance automation. A minor contribution of this research is the extension of the W3C Community Standard, Data Privacy Vocabulary (DPV), to represent RoPAs.
Metadata
Item Type:Thesis (PhD)
Date of Award:4 December 2025
Refereed:No
Supervisor(s):Crane, Martin, Pandit, Harshvardhan and Brennan, Rob
Uncontrolled Keywords:GDPR, Data Protection Officer, RoPA, GDPR Compliance, Semantic Web and Recording of Processing Activities, RegTech
Subjects:Computer Science > Software engineering
Computer Science > Information storage and retrieval systems
DCU Faculties and Centres:DCU Faculties and Schools > Faculty of Engineering and Computing > School of Computing
DCU Faculties and Schools
Research Institutes and Centres > ADAPT
Use License:This item is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 License. View License
ID Code:31963
Deposited On:14 Apr 2026 13:53 by Martin Crane . Last Modified 14 Apr 2026 13:53
Documents

Full text available as:

[thumbnail of Paul Ryan PhD Thesis]
Preview
 PDF (Paul Ryan PhD Thesis) - Requires a PDF viewer such as GSview, Xpdf or Adobe Acrobat Reader
Creative Commons: Attribution-Noncommercial-No Derivative Works 4.0
4MB
Downloads

Downloads

Downloads per month over past year

Archive Staff Only: edit this record