Our ROPA services provide your organisation with a fully documented ROPA tailored specifically for you, which incorporates all of the requirements from the legislation and which is in line with ICO guidance.   

From £495 + vat 

What is ROPA?

The General Data Protection Regulation obligates, as per Art. 30 of the GDPR, written documentation and overview of procedures when personal data is processed. Records of processing activities (ROPA) must include information about data processing, including data categories, the group of data subjects, the purpose of the processing and the data recipients. This must be made available to authorities upon request and must be kept as a living document and added to when business processes change involving personal data. 

Our ROPA services provide your organisation with a fully documented ROPA tailored specifically for you, which incorporates all of the requirements from the legislation and which is in line with ICO guidance.


What is included?

A full data inventory will be completed for each business area (i.e. marketing, procurement, sales, operations etc).

As part of our ROPA services, we provide your organisation not only with a full data inventory, but a lawful basis register, retention schedule and risk plan which are all incorporated in to one document.  


Initially we will ask the organisation (dependant on size) to nominate a data champion in each business area who understands all of the processing in their department. This is normally the manager of the department, but not always. 

We hold a 2-hour training session with the data champions to ensure they understand the basics of the ROPA (as this is a living document) and to ensure they understand the basics of GDPR. 

Our business analyst will then sit down with each data champion and ask specific questions. This will help us to understand the business processes involving personal data in each business area and how the data flows.

Our Business Analyst will complete a full ROPA for all of the organisation’s business processing, as per Article 30 of the GDPR. 

The record will contain all of the following information:


  • the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;

  • the purposes of the processing;

  • the lawful basis for processing;

  • a description of the categories of data subjects and of the categories of personal data;

  • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation;

  • where possible, the envisaged time limits for erasure of the different categories of data;

  • where possible, a general description of the technical and organisational security measures 

  • the level of risk to the organisation for each specific business process;

  • highlight if a DPIA is required; and,

  • highlight if a LIA is required to be completed.

We will then complete the risk plan, detailing where the organisation may be exposed and highlighting any action plans that may need to commence to reduce the risks. For example, through highlighting where there is no Data Protection Impact Assessment in place, where there is no Legitimate Interest Assessment in place, or where security safeguards are not in place, and suggesting solutions. 

We will then deliver the completed ROPA to the board (if required), as well as the project lead, risk owners and data champions. 


  • Knowledge that your Record of Processing Activity is compliant to the regulations;

  • Saves time for the organisation by using external sources;

  • Ensures every area is captured, specifically around 3rd party suppliers (an area which is often missed);

  • Highlights gaps in compliance, i.e. where Data Processing Agreements have not been agreed or are not in place;

  • Provides the organisation with a full risk plan ensuring there is a suitable solution for any areas of risk;

  • Be confident that you are being advised by an experienced, approachable and adaptable team;

  • Often DPAS can deliver the ROPA in less time than our competitors having done this in every industry already and having template processes in place, therefore saving you money.


Contact us and find out how our Data Protection services can benefit your company.Before filling in the form please ensure you have read and understood our privacy notice.


10 Oaktree Place, Marsh Barton, Exeter,

Devon EX2 8WA

01392 914019

  • Black LinkedIn Icon
  • Black Facebook Icon
  • Black Twitter Icon

©2019 Data Privacy Advisory Service Ltd. ALL RIGHTS RESERVED


01392 914019

0203 3013384

 Privacy Notice

Please note all information on this website is for your help and guidance. It should not be regarded as an authoritative

or definitive statement of the law.