What is the RAT and why does the SPDP require it first
The Activity Treatment Register (RAT) is the formal inventory of all personal data processing operations an organization performs. Under Ecuador's LOPDP it is mandatory — and it is the first document the SPDP requests in any inspection or sanctioning process. Without an updated RAT, compliance cannot be demonstrated.
This article covers Ecuador's LOPDP (Ley Orgánica de Protección de Datos Personales), a regulation specific to Ecuador. The full technical and legal detail is available in the Spanish version of this article — the most complete reference for compliance work in Ecuador.
What the RAT contains
The RAT must document each processing activity with at minimum: the categories of personal data being processed, the categories of data subjects, the processing purposes, the lawfulness basis for each processing operation, the recipients of the data (including international transfers), the retention periods, and the technical and organizational security measures applied.
Why it's the first document the SPDP requests
The RAT is the foundational document of the SGPDP — without it, the SPDP cannot evaluate whether an organization knows what data it holds, why it holds it, or what controls are in place. In practice, any SPDP inspection begins with a request for the RAT. Organizations that cannot produce an updated RAT demonstrate that no real compliance work has been done, regardless of what policies or notices they may have published.
A RAT that was built once and never updated is almost as problematic as not having one. Every time the organization launches a new product, integrates a new vendor, or changes how it processes data, the RAT must be updated. The DataGuard service includes ongoing RAT maintenance as part of the monthly cycle.
Building the RAT: the macroprocess approach
Wiibiq builds RATs using a macroprocess methodology — mapping data flows by business area (HR, sales, operations, customer service, IT infrastructure) rather than trying to list every individual processing activity. This produces a RAT that is both comprehensive and maintainable, and that reflects the actual operational reality of the organization rather than an abstract compliance document.
Common RAT failures
- Built from templates without mapping actual data flows — the RAT looks complete but doesn't reflect what the organization actually does
- Missing vendor ecosystem — third-party processors (cloud providers, CRMs, payroll platforms) often process more personal data than the organization's own systems, but are absent from the RAT
- No lawfulness basis documented per treatment — listing the data categories without documenting the legal basis for each processing operation
- Never updated after initial build — the RAT reflects the organization as it was when it was built, not as it is today
Does your organization have a current RAT?
We evaluate your current RAT (or help you build one from scratch) as part of the DataGuard free diagnosis. Two weeks, no commitment.
Request free RAT evaluation →