Just small clarification, DPIA is for the processing activities that pose a high risk to the rights and freedoms of the data subjects but when should we complete the record of processing?
Assign topic to the user
ISO 9001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 9001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 9001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Answer:
Article 30(5) of the GDPR provides an exemption that allows companies to avoid Article 30 record-keeping obligations provided that the processing is (i) only occasional; (ii) the processing is not considered a risk to the rights and freedoms of the data subjects; and (iii) the processing is not of ‘Special Categories of Data’ (Article 9.1) or personal data relating to criminal convictions and offences.
So unless you fall under the exemptions above you need to create an Inventory of processing activities or ROP as you called them.
Comment as guest or Sign in
Sep 09, 2019