Article 30 of the GDPR requires most organizations to maintain a written (or, in practice, digital) record of all their processing activities. The RoPA is the documented backbone of GDPR accountability: regulators expect to see it on request, and it should be the first artifact produced during an audit.
The required contents are specific. Each processing activity needs the purpose of processing, the categories of data subjects, the categories of personal data, the categories of recipients (including any in third countries), the retention periods, the safeguards in place, and the name and contact details of the Controller (and, where applicable, the joint Controllers or the Data Protection Officer).
Building the RoPA is where most GDPR programs hit their first wall, because it requires a real data map that ties business activities to specific systems and specific fields. Producing it from a spreadsheet sounds tractable until you realize the inventory needs to keep pace with every system migration, every new vendor, every new product launch. Most mature programs treat the RoPA as a derived artifact — generated automatically from a live, machine-readable data map — rather than as a Word document maintained by hand.