What Is A RoPA? Record Of Processing Activities Under Article 30 GDPR (Including Non-EU Companies)

IT and security

User access logs, device management, incident handling

Finance and compliance

Invoicing, fraud checks, audit trails

Product and service delivery

User behaviour metrics, feature improvement, testing

Employee Tiers And Data Subjects To Think About

RoPA works best when you map processing by “who” as well as “what”. You will usually cover:

Applicants (candidates)
Employees, contractors, and secondees
Customers and end users
Prospects and marketing contacts
Suppliers and business contacts
Visitors (sites, events, reception)

This also helps you spot higher-risk categories quickly, such as children’s data, health data, or sensitive identifiers.

Key Obligations At A Glance

• RoPA is a written record (electronic is fine)
  
• No mandatory GDPR template
  
• Must be accurate, current, and usable
• Applies to controllers and processors

A RoPA is your documented inventory of processing. There is no mandated template in the GDPR. You can use Excel, Word, a GRC tool, or a platform export.

That flexibility is helpful, but it also creates confusion. Many teams build a document that looks “official”, yet misses key content.

1. Controller, Processor, Or Both?

Article 30 has two flavours:

Controller RoPA
Records what you decide to do with personal data

Processor RoPA
Records what you do on behalf of clients

Many organisations are both. For example, you act as controller for HR, but processor for customer-hosted data. You may therefore need two views, even if they live in one file.

2. Mandatory Fields Per Processing Activity

Your RoPA should let you understand your processing without guesswork.

Purpose(s)
Categories of data subjects
Categories of personal data
Recipients
International transfers and safeguards
Retention rules
Security measures (high-level)

If you are a processor, also record:

Categories of processing per controller
Transfers made on instruction
Security measures applied

3. Keep It Available And Current

A RoPA is not a one-off spreadsheet created for a questionnaire. It should be part of ongoing governance.

In practice:

• You can produce it quickly when asked
  
• You review it on a regular schedule
  
• You update it when tools, workflows, or features change

A stale RoPA can be worse than none. It signals loss of control.

4. The “Small Company” Exemption (Often Misunderstood)

The under-250 employees exemption is narrow.

It does not apply if processing is:

• Not occasional
  
• Likely to risk rights and freedoms
  
• Involves special category or criminal data

Most modern businesses process personal data continuously. Therefore, most organisations should assume a RoPA is required.

5. Format Flexibility (With One Condition)

You can use:

• Excel
  
• Word
  
• A privacy management platform

The condition: it must be searchable, shareable, and maintainable.

Many teams start with ICO templates. That is sensible, provided they are adapted to the business.

Common Pitfalls

RoPA issues are usually not about effort. They are about structure and ownership.

Treating RoPA as a one-time tick box
Listing systems instead of processing
Using vague purposes
Ignoring processor obligations
Missing international transfers
No retention logic
Incomplete data categories
Forgetting HR and IT processing
No defined owner or update process

A Simple “Good RoPA” Test

Ask yourself:

Could you explain your processing to a customer using only the RoPA?
Could you answer “where does the data go?” in under five minutes?
Could you update it next week if a new vendor is added?

If not, the document needs a rethink.

How To Build A RoPA You Can Maintain

RoPA works when it reflects how your organisation actually operates.

Start With Processing Activities

Group by lifecycle themes:

• Marketing and lead management
  
• Sales and onboarding
• Service delivery and support
  
• HR operations
  
• IT and security
  
• Finance, legal, and compliance

Use A Consistent Level Of Detail

• One activity per row or section
  
• Consistent terminology
  
• Clear, short wording
  
• Define a glossary once.

Link RoPA To Other GDPR Artefacts

Link to:

• Privacy notices
  
• Lawful basis assessments
  
• DPIAs
  
• Security controls
  
• Retention schedules

Set A Sustainable Update Rhythm

• Quarterly review
  

• Change-trigger updates
  

• Define ownership clearly.

How EDPO Helps

EDPO acts as your EU Representative (and/or UK or Swiss representative, where relevant), providing a reliable point of contact for Data Protection Authorities and data subjects.

EDPO does not provide legal advice or run compliance programmes. Responsibility remains with the organisation.

Why RoPA Matters For Representation

Where an EU Representative is required, the representative must cooperate with supervisory authorities.

This includes keeping a copy of the RoPA ready for DPA requests.

Key Take-Aways

RoPA is a core accountability requirement
It applies to most organisations in scope
DPAs may request it at any time
No mandatory format, but usability matters
Representative relationships should include RoPA access

Stay ahead of EU rules.
Need a representative fast? Contact us.