Skip to content
360 Cyber Compliance

Data protection · 1 July 2026

RoPA explained: your Record of Processing Activities under UK GDPR

A Record of Processing Activities (RoPA) is the foundation of good data protection. It’s a structured record of what personal data you hold and what you do with it — and under UK GDPR most organisations are required to keep one. This guide explains what it is and what to include.

What a RoPA is

A RoPA is a documented inventory of your processing activities: the different ways your organisation uses personal data. Think of it as a map of your data — what you collect, why, where it comes from, who you share it with, and how long you keep it. Article 30 of UK GDPR sets out this requirement.

A good RoPA is more than a compliance document. It’s the starting point for almost everything else in data protection: answering Subject Access Requests, running DPIAs, reporting breaches and writing accurate privacy notices all depend on knowing what data you hold.

Who needs one

The obligation applies to most organisations. There is a limited exemption for organisations with fewer than 250 employees, but it falls away — and so the RoPA becomes required — where your processing:

  • Is not occasional (in other words, it’s routine)
  • Is likely to result in a risk to people’s rights and freedoms, or
  • Involves special-category data (such as health data) or criminal-offence data

Because health and care providers routinely process special-category data, they almost always need a RoPA regardless of size. For the wider picture, see our UK GDPR in healthcare guide.

What to include

UK GDPR specifies what a controller’s RoPA must contain. For each processing activity, record:

FieldWhat it means
Purpose of processingWhy you use the data (e.g. delivering care, payroll)
Categories of individualsWhose data it is (e.g. service users, staff)
Categories of personal dataWhat data (e.g. contact details, health records)
Lawful basisYour UK GDPR basis, plus any special-category condition
RecipientsWho you share it with (e.g. NHS, commissioners, suppliers)
Transfers abroadAny transfers outside the UK, and the safeguards
Retention periodHow long you keep it before secure deletion
Security measuresA general description of your technical and organisational controls

If you act as a processor (handling data on someone else’s behalf), you keep a slightly different, shorter record focused on the controllers you work for and the categories of processing you carry out.

A simple approach to building one

You don’t need specialist software — a well-structured spreadsheet is perfectly acceptable. A practical way to build your RoPA:

  1. List your activities. Walk through what your organisation actually does — recruiting and paying staff, delivering care, handling enquiries, running CCTV, managing suppliers.
  2. Interview the right people. Each team knows the data it handles. Short conversations surface activities you might otherwise miss.
  3. Fill in the fields. For each activity, complete the columns above.
  4. Check your lawful bases. Make sure each activity has an appropriate basis and, for special-category data, a valid condition.
  5. Set retention periods. Decide how long each type of data should be kept and when it’s securely destroyed.

Keeping it alive

A RoPA is only useful if it stays accurate. Review it at least annually, and update it whenever you introduce a new system, supplier or service. Linking RoPA reviews to your other annual tasks — such as the DSPT — helps keep it current without extra effort.

Common mistakes

  • Treating the RoPA as a one-off exercise rather than a living record
  • Missing “hidden” processing such as CCTV, recruitment or marketing
  • Recording consent as the lawful basis by default, even where another basis fits better
  • Leaving retention periods vague or absent

If any of the terms here are unfamiliar, our glossary explains them in plain English.

Why the RoPA is worth the effort

Some organisations see the RoPA as paperwork for its own sake, but it repays the effort many times over. Because it maps exactly where personal data lives, it makes almost every other data protection task faster:

  • When a Subject Access Request arrives, the RoPA tells you where to look.
  • When you plan a new system, it feeds straight into your DPIA.
  • When you write a privacy notice, the purposes, recipients and retention periods are already documented.
  • When a breach happens, you can quickly work out what data and which people are affected.

In other words, the time you invest in a good RoPA is recovered every time one of these situations arises.

Controllers and processors

A quick word on roles, because they shape your RoPA. A controller decides why and how personal data is processed; a processor acts on a controller’s instructions. Most care and health providers are controllers for the data about their service users and staff, but they may also act as a processor for another organisation. If you wear both hats, keep the two records distinct so it’s always clear which role a given activity falls under.

How we can help

Building a complete, accurate RoPA is very achievable, but it takes a methodical look across your whole organisation. We offer a clear, fixed-fee engagement that produces a robust RoPA, checks your lawful bases and retention periods, and supports your team in keeping it up to date. To find out more, explore our data protection service or get in touch for a friendly, no-obligation chat.

Need help in practice? See our Data Protection & UK GDPR service.

Need a hand with this?

Book a free, no-obligation readiness check.