# GDPR Records of Processing Activities for B2B Data Enrichment: A Practical Guide
> **Quick answer**: Under GDPR Article 30, organizations must maintain a Records of Processing Activities documenting each data processing operation, including B2B enrichment workflows like email finding or LinkedIn scraping. Each activity requires documenting the legal basis (typically legitimate interest for B2B prospecting), data categories, retention periods (maximum three years for inactive prospects), sub-processors, and security measures. Derrick logs all enrichment operations inside Google Sheets with built-in processing records, helping teams maintain GDPR-compliant documentation without manual tracking across 100+ data enrichment sources.
> **Summary** You’re running email finder campaigns, enriching lead lists from LinkedIn, verifying phone numbers — and you still don’t have a Records of Processing Activities (RoPA) document? You’re not alone. But the window to fix that is narrowing fast: in 2025, CNIL issued 87 sanctions, a 107% jump over the previous year, with commercial prospecting teams […]
*Published: 2026-03-04 · Updated: 2026-03-05 · Canonical: https://derrick-app.com/en/records-of-processing-activities-data-enrichment/*
---
You’re running email finder campaigns, enriching lead lists from LinkedIn, verifying phone numbers — and you still don’t have a Records of Processing Activities (RoPA) document? You’re not alone. But the window to fix that is narrowing fast: in 2025, CNIL issued 87 sanctions, a 107% jump over the previous year, with commercial prospecting teams firmly in the crosshairs.
The good news is that building a RoPA isn’t a job for your legal team alone. It’s an operational document that helps you map your data flows, prove compliance, and keep your enrichment workflows on solid legal ground. This guide walks you through building it — one processing activity at a time — specifically for B2B data enrichment.
> **TL;DR** A Records of Processing Activities (RoPA) is mandatory under GDPR Article 30 for any organization that regularly processes personal data. For B2B data enrichment, each activity is a separate record: email finder, phone finder, LinkedIn scraping. Document the purpose, legal basis (legitimate interest for B2B prospecting), sub-processors, retention period (3 years max for inactive prospects) and security measures.
## What Is the Records of Processing Activities (GDPR Article 30)?
The Records of Processing Activities — often called RoPA — is an internal document that lists every operation your organization performs on personal data. It’s required under **Article 30 of the GDPR** and sits at the heart of the accountability principle: you must be able to demonstrate compliance when regulators ask, not scramble to prove it after the fact.
For each processing activity, the RoPA captures: who is responsible, why the data is collected, which data is involved, who has access, how long it’s retained, and how it’s protected.
**Who needs one?** In practice, every organization that processes personal data. The theoretical exemption for companies with fewer than 250 employees almost never applies once you have employees, clients, or prospects — which describes every B2B sales team. The ICO in the UK and the CNIL in France both recommend that all organizations maintain a RoPA regardless of size.
Failing to maintain one can result in fines of up to **€10 million or 2% of global annual turnover** under Article 83 of the GDPR. But beyond the financial risk, a well-maintained RoPA is a management tool: it helps you identify data risks, prioritize compliance actions, and respond quickly to data subject requests (access, erasure, objection).
## Why Your Data Enrichment Activities Need to Be in the RoPA
B2B data enrichment is, by definition, a data-intensive activity — and almost all of the data involved is personal data under GDPR. A professional email like `firstname.lastname@company.com`, a mobile phone number, a LinkedIn profile — these are personal data, even in a business context.
Every enrichment action is a distinct processing activity: finding an email, verifying its deliverability, retrieving a phone number, scraping a LinkedIn profile, normalizing data in your CRM. Each one needs its own entry in your RoPA.
Sales teams often make the same mistake: they treat data enrichment as a purely technical step with no legal implications. But the moment you use a third-party tool to enrich your data — an email finder, a phone finder, a LinkedIn scraper — that tool becomes a **data processor** under GDPR, and it needs to appear in your records.
For your [B2B database enrichment](https://derrick-app.com/en/database-enrichment/) activities, you are the data controller. You define the purpose (finding prospects for your sales team), choose the tools, decide on retention periods. The legal responsibility sits with you, even when enrichment is handled by a SaaS tool.
With that context established, let’s look at exactly which enrichment activities need to be documented.
## Which B2B Data Enrichment Activities Belong in Your RoPA?
Each distinct enrichment activity gets its own record. Here are the most common ones for a B2B sales or growth team:
| Processing Activity | Data Involved | Typical Legal Basis |
| --- | --- | --- |
| Professional email lookup | Name, email address, company domain | Legitimate interest |
| Email verification | Email address | Legitimate interest |
| Phone number lookup | Mobile/direct dial number | Legitimate interest |
| LinkedIn profile scraping | Job title, company, bio, contact info | Legitimate interest |
| LinkedIn company page scraping | Company data + employee contacts | Legitimate interest |
| Sales Navigator list import | LinkedIn profile data | Legitimate interest |
| Data normalization and deduplication | Existing CRM data | Legitimate interest |
| AI lead scoring and segmentation | Enriched profile data | Legitimate interest |
| Cold email prospecting | Email, name, personalization data | Legitimate interest |
| Phone prospecting | Phone number, name | Legitimate interest + TPS/CTPS check (UK) |
**Important distinction:** data relating solely to a legal entity (company name, registered address, Companies House number) is not personal data under GDPR. The moment a piece of data identifies or could identify a natural person within that company, GDPR applies.
Now let’s build the actual records, step by step.
## How to Build Your RoPA for B2B Data Enrichment: Step-by-Step
### Step 1: List every enrichment processing activity
Start by cataloging every data enrichment activity your team runs. Ask yourself: “What personal data do we touch, and why?” Each distinct purpose = a separate record in your RoPA.
Mike, Sales Ops at a 35-person SaaS startup, did this inventory in two hours with his commercial team. He identified 7 distinct activities — including 3 he hadn’t anticipated: AI lead scoring, Zapier sync to HubSpot, and the CSV export shared with their cold email agency.
**Expected output:** A full list of all your data processing activities, each described in one sentence.
### Step 2: Define the purpose and legal basis for each activity
For each enrichment activity, document:
**The purpose:** Be specific. “Commercial prospecting” isn’t enough. Write something like: “Enrichment of qualified leads for Q1 2026 cold email campaign targeting VP of Marketing at Series A–C SaaS companies in the UK and US.”
**The legal basis:** For B2B prospecting, this is almost always **legitimate interest** (Article 6.1.f GDPR). This basis lets you process personal data without prior consent, provided that:
- The processing is proportionate to the objective
- The people you contact have a plausible connection to what you’re offering (their role is relevant to your product)
- You offer a simple, free opt-out in every communication
You also need to document the **Legitimate Interest Assessment (LIA)** — a brief analysis showing your business interests outweigh the rights of the individuals. For targeted B2B outreach, this balance is generally favorable, but the reasoning must be written down.
**Expected output:** A specific purpose statement and a documented legal basis with its justification for each activity.
### Step 3: List the categories of personal data processed
For each enrichment activity, specify the data categories involved. For example, for an email finder workflow using a tool like Derrick:
- Identification data: first name, last name
- Professional data: job title, company name, department
- Contact data: professional email address
- LinkedIn data: profile URL, headline, summary
Check that you’re not processing **special category data** (health, political opinions, racial or ethnic origin). These require a higher legal threshold and generally can’t rely on legitimate interest. For standard B2B prospecting, you shouldn’t encounter them.
Also apply the **data minimization principle**: only collect what’s strictly necessary for your stated purpose. If you don’t use location data in your sequences, don’t enrich it.
### Step 4: Identify your sub-processors and recipients
This is the step sales teams most consistently skip. Any third-party tool that processes personal data on your behalf is a **data processor** under GDPR and must appear in your records.
For B2B data enrichment, your typical sub-processors include:
- Your **enrichment tool** for finding emails and phones (e.g., Derrick)
- Your **cold email platform** (Instantly, Lemlist, Mailshake, etc.)
- Your **CRM** storing and processing enriched data (HubSpot, Salesforce, Pipedrive)
- Your **automation tool** if you sync data via Zapier, Make, or n8n
- Any **partner agency** that processes data on your behalf
For each sub-processor, verify that a **Data Processing Agreement (DPA)** is in place. This contract formalizes their GDPR obligations as a processor. Most serious SaaS vendors offer this in their terms or on request.
Also identify **internal recipients**: which teams in your organization have access to enriched data? Sales only? Marketing too? Leadership?
### Step 5: Set retention periods for each category of data
The CNIL and ICO both recommend a maximum retention period of **3 years** from the last contact or interaction for inactive prospect data. After that, you either delete the records or re-engage the contact to confirm their interest.
For prospects who become customers, retention typically extends to **5 years** after the end of the commercial relationship (standard legal prescription period).
Define and document a clear policy:
| Contact Status | Retention Period | Action at Expiry |
| --- | --- | --- |
| Prospect — no reply | 3 years from last contact | Automatic deletion |
| Prospect — active pipeline | Sales cycle duration + 3 years | Manual review |
| Active customer | Duration of relationship + 5 years | Archive then delete |
| Contact who opted out | Immediately | Blacklist + delete |
Build a regular purge process into your workflow. Running periodic [email verification](https://derrick-app.com/en/email-verification/) also helps identify invalid or bounced contacts to clean out first.
### Step 6: Document technical and organizational security measures
For each processing activity, describe the measures in place to protect the data. You don’t need exhaustive detail in the RoPA itself, but the main categories should be covered:
- **Access controls:** who can view enriched data in your Google Sheet or CRM?
- **Encryption:** is data stored securely at rest and in transit?
- **Backups:** what’s the backup and recovery policy?
- **Team training:** are your sales reps aware of their GDPR obligations?
- **Incident response:** do you have a procedure for data breaches?
A few lines per activity is sufficient. The goal is to demonstrate that you’ve thought about security — not to write an ISO 27001 policy.
## RoPA Template: Sample Record for a B2B Email Enrichment Workflow
Here’s a completed example for one common enrichment activity:
| Field | Content |
| --- | --- |
| **Activity name** | Professional email enrichment for B2B outbound prospecting |
| **Data controller** | [Your company name] — Contact: [DPO or designated contact] |
| **Purpose** | Identify professional email addresses of target decision-makers to run cold email outreach campaigns |
| **Legal basis** | Legitimate interest (Art. 6.1.f GDPR) — LIA completed on 2026 |
| **Data categories** | First name, last name, job title, professional email, company domain |
| **Data subjects** | B2B decision-makers (managers, directors, founders) at target accounts |
| **Sub-processors** | Derrick (enrichment) — DPA in place; HubSpot (CRM) — DPA in place; Instantly (email sequences) — DPA in place |
| **Internal recipients** | Sales team (SDRs + Account Executives) |
| **Retention period** | 3 years from last interaction for inactive prospects |
| **International transfers** | HubSpot (USA) — Standard Contractual Clauses in place |
| **Security measures** | Role-based access in HubSpot; mandatory 2FA; quarterly purge of inactive prospects |
| **Opt-out mechanism** | Unsubscribe link in every email + requests processed within 48 hours |
Replicate this template for each of your enrichment activities. A well-documented [B2B lead generation](https://derrick-app.com/en/b2b-lead-generation/) operation signals professionalism to enterprise prospects and protects you from regulatory exposure simultaneously.
## Common RoPA Mistakes for Data Enrichment (and How to Fix Them)
### Problem 1: One catch-all “commercial prospecting” record for everything
**Symptom:** Your RoPA has a single generic entry covering email finder, phone lookup, LinkedIn scraping, and cold emailing all at once.
**Impact:** During a regulatory audit, you can’t demonstrate that each activity was individually assessed. Purposes, legal bases, and retention periods can differ significantly between activities.
**Fix:** Create a separate record for each distinct activity. A simple rule: if the activity uses different data, a different tool, or pursues a different purpose — it’s a separate record.
### Problem 2: Sub-processors aren’t listed
**Symptom:** Your RoPA documents your purposes and data categories but doesn’t mention any third-party tools.
**Impact:** You remain legally responsible for how your sub-processors handle data. Without documented DPAs, you can’t prove your vendors are GDPR-compliant.
**Fix:** List every SaaS tool that processes personal data on your behalf. Request a signed DPA from each and file it. For your [phone finder](https://derrick-app.com/en/phone-finder/) or email enrichment tools, check the vendor’s contractual terms carefully.
### Problem 3: No retention period is defined
**Symptom:** Your RoPA says “reasonable duration” or leaves the field blank.
**Impact:** Regulators treat undefined retention periods as a breach of the storage limitation principle — one of the most commonly flagged issues in GDPR audits.
**Fix:** Set specific periods per contact category and implement an automated or scheduled purge process. 3 years from last interaction is the standard recommendation for inactive prospects.
### Problem 4: The RoPA hasn’t been updated since it was created
**Symptom:** Your records document a tech stack from two years ago and don’t reflect your current tools.
**Impact:** A RoPA that doesn’t match your actual processing activities is treated as non-existent by regulators.
**Fix:** Assign a named owner for RoPA updates (Sales Ops, DPO, or legal). Run a quarterly review and update the records every time you add a new tool or change an enrichment practice.
### Problem 5: Legitimate interest isn’t justified
**Symptom:** Your RoPA lists “legal basis: legitimate interest” with no further explanation.
**Impact:** Legitimate interest isn’t a catch-all. You must demonstrate that your commercial interests outweigh the rights of the individuals. Without a documented Legitimate Interest Assessment, this basis can be challenged.
**Fix:** Write a short justification for each relevant activity: why is this enrichment necessary for your business? Why might the individuals reasonably expect to be contacted in this context? For your [GDPR-compliant cold email](https://derrick-app.com/en/cold-emailing-rgpd-2/) strategy, this documentation is especially critical.
## Key Takeaways
- **Each enrichment activity = a separate RoPA record:** email finder, phone lookup, LinkedIn scraping, normalization, and cold emailing are distinct entries.
- **Legitimate interest** is the standard legal basis for B2B prospecting, but it must be justified with a documented Legitimate Interest Assessment.
- **Every SaaS enrichment tool is a GDPR data processor:** list them in your RoPA with a signed DPA.
- **3 years maximum** for inactive prospects from the last interaction — delete or re-engage after that.
- **Regular updates are mandatory:** assign a named owner and schedule quarterly reviews.
## Conclusion: Your RoPA Is a Business Asset, Not Just a Compliance Checkbox
A well-maintained Records of Processing Activities isn’t just protection against regulatory fines. It’s a signal of seriousness to enterprise prospects, to compliance-sensitive clients, and to your own sales team that needs reliable, clean data to work with.
Documenting your enrichment activities forces a useful discipline: you question whether each data point is necessary, whether retention periods make sense, who actually needs access. That structural clarity improves data quality — and better data quality improves prospecting outcomes.
Start with one record per enrichment activity. List your tools, set retention periods, sign your DPAs. Then keep it current as your stack evolves.
[Related article →
#### How to enrich your B2B database
Discover best practices for enriching prospect data directly in Google Sheets.](https://derrick-app.com/en/database-enrichment/)
## FAQ
**Is a Records of Processing Activities mandatory for small sales teams?** In practice, yes. The exemption for organizations with fewer than 250 employees doesn’t apply once your processing is regular — which describes any active B2B sales operation. Both the ICO and CNIL recommend maintaining a RoPA regardless of company size.
**What format should I use for my RoPA?** GDPR requires only that it be in writing. A Google Sheet or Excel file works fine for smaller teams. The CNIL offers a free ODS template on its website. Larger teams often use dedicated compliance software. The format matters less than the content being accurate and current.
**Can I use a B2B data enrichment tool without violating GDPR?** Yes — provided you document its use in your RoPA, sign a DPA with the vendor, use the enriched data within your declared purpose, and give data subjects a clear and easy way to opt out.
**How long can I keep enriched prospect data?** The standard recommendation is 3 years from the last interaction for inactive prospects. After that, delete the records or reach out to confirm the person’s continued interest before retaining their data.
**What happens if a regulator audits me and my RoPA is incomplete?** An incomplete or missing RoPA can result in a formal warning, a compliance order, or a fine of up to €10 million or 2% of global annual turnover. Enforcement against B2B prospecting practices has intensified significantly since 2024.