The General Data Protection Regulation obligates, as per Article 30 of the GDPR, written documentation and overview of procedures when personal data is processed. Records of Processing Activities (ROPA) must include information about data processing, including data categories, the group of data subjects, the purpose of the processing and the data recipients. This must be made available to authorities upon request and must be kept as a living document and added to when business processes change involving personal data. 

Our ROPA services provide your organisation with a fully documented ROPA tailored specifically for you, which incorporates all of the requirements from the legislation and which is in line with ICO guidance.

ROPA infographics

why DPAS

experience icon


We have been creating ROPAs and Information Asset Registers for organisations since the GDPR was first introduced and have completed many of them in different industries.

support icon


At DPAS we work with your teams every step of the way in the ROPA process to ensure that we capture all of your business processes and can document all the requirements.

client icon


By outsourcing this service ensures that you are confident your ROPA will be compliant to Article 30 of the GDPR and in line with ICO guidance.

working internationally icon


You can call on us at any time after we complete your project if staff are unsure how to maintain the ROPA or you need assistance with updating it.

  • Dedicated business analyst to create your ROPA from scratch.
  • Access to 6 months software whilst we are creating the ROPA for you (if you choose to use the platform).
  • Training for staff on how to maintain and update the ROPA in the future.
  • Risk plan highlighting actions that need to be completed within each department such as when a DPIA needs to be completed.
  • Delivery of the ROPA onsite to the Board, project leads, information asset owners, data protection manger or similar.

Report on our findings within the ROPA, addressing gaps and risks.

  • Knowledge that your Record of Processing Activity is compliant to the regulations.
  • Saves time for the organisation by using external sources.
  • Ensures every area is captured, specifically around 3rd party suppliers (an area which is often missed).
  • Highlights gaps in compliance, i.e. where Data Processing Agreements have not been agreed or are not in place.
  • Provides the organisation with a full risk plan ensuring there is a suitable solution for any areas of risk.
  • Be confident that you are being advised by an experienced, approachable and adaptable team.
  • Often DPAS can deliver the ROPA in less time than our competitors having done this inmany industries already and having template processes in place, therefore saving you money. 

1.How do you compile the ROPA?

Initially we will ask the organisation (dependant on size) to nominate a data champion in each business area who understands all of the processing in their department. This is normally the manager of the department, but not always. 

We hold a 2-hour training session with the data champions to ensure they understand the basics of the ROPA (as this is a living document) and to ensure they understand the basics of GDPR.

Our business analyst will then sit down with each data champion and ask specific questions. This will help us to understand the business processes involving personal data in each business area and how the data flows.

Our Business Analyst will complete a full ROPA for all of the organisation’s business processing, as per Article 30 of the GDPR. 

2. What does the ROPA contain?  

  • the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  • the purposes of the processing;
  • the lawful basis for processing;
  • a description of the categories of data subjects and of the categories of personal data;
  • the categories of recipients to whom the personal data have been or will be disclosed,including recipients in third countries or international organisations; 
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation;
  • where possible, the envisaged time limits for erasure of the different categories of data;
  • where possible, a general description of the technical and organisational security measures 
  • the level of risk to the organisation for each specific business process;
  • highlight if a Data Protection Impact Assessment is required; and,
  • highlight if a Legitimate Interest Assessment is required to be completed.


3. Will you highlight where work is required?We will complete the risk plan and report, detailing where the organisation may be exposed and highlighting any action plans that may need to commence to reduce the risks. For example, highlighting where there is no Data Protection Impact Assessment in place, where there is no Legitimate Interest Assessment in place, or where security safeguards are not in place, and suggesting solutions. 

4. Do we need a ROPA?

Documenting your processing of personal data is a new requirement under the GDPR. It is mainly about keeping internal records of your processing activities. It reflects the increased importance of accountability and your obligation to ensure (and demonstrate) that what you do with people’s personal data is in line with the GDPR. Article 30 sets out the different types of information you need to document including the purposes of processing, categories of personal data and recipients of personal data. Click here For further information.

5. What does the GDPR say about documentation? 

The ICO advise that ‘The accountability principle requires you to demonstrate that your organisation processes personal data in line with the GDPR. To help you do this, you can implement several technical and organisational measures. One such measure is contained in Article 30, which says that an organisation shall:

‘…maintain a record of processing activities under its responsibility.’

There are several specified areas where records must be maintained, such as the purposes of processing personal data, data sharing and retention. This is what we mean by documentation.’

6. Why is it important?

The ICO advises that ‘Documenting your processing activities is important for several reasons. First, it is a legal requirement. Although you do not need to proactively provide these records to the ICO, you may have to make the information available on request, such as for an investigation. As a key element of the accountability principle, documenting your processing activities can also help you to ensure (and demonstrate) your compliance with other aspects of the GDPR. For instance, it can help you with the following things:

  • Drafting your privacy notice– much of the information you have to document is very similar to what you need to tell people in your privacy notice.
  • Responding to access requests– knowing what personal data is held and where it is will help you to efficiently handle requests from individuals for access to their information.
  • Taking stock of your processing activities– this will make it much easier for you to address other matters under the GDPR such as ensuring that the personal data you hold is relevant, up to date and secure.

However, it’s not just about legal compliance with the GDPR; documentation will also help you do the following:

  • Improve data governance– highlighting and addressing data protection matters through documentation will support good practice in data governance. This can give you assurance as to data quality, completeness and provenance.
  • Increase business efficiency– knowing what personal data you hold, why you hold it and for how long, will help you to develop more effective and streamlined business processes.’


7. Why should we use DPAS and not do it ourselves?

DPAS has completed many information audits and created ROPAs for a wide variety of organisations including:

  • Recruitment
  • Utilities
  • Retail
  • Leisure
  • Local Authorities
  • Charities
  • Sports Clubs
  • Universities

As we have the experience within the above industries, we often know the majority of the business processes involved where personal data is contained. We have many templates from a variety of industries meaning we can complete your ROPA quickly and efficiently, costing you less money.

8. How do you price your ROPA projects?

Unlike a lot of consultancies, DPAS offers our customers a fixed cost for a project. That way, the organisation can budget for what is required. If it takes us longer, it doesn’t cost you anymore.