template
Record of Processing Activities (ROPA) Template
An Article 30 ROPA template for UK organisations, mapping each processing activity to its purpose, lawful basis, data categories, recipients and retention.
Related service: Data Protection & UK GDPR
Article 30 of the UK GDPR requires most organisations to keep a Record of Processing Activities (ROPA) — a written record of what personal data you process and why. Complete one row per processing activity (for example “delivering care”, “payroll”, “recruitment”). Replace every [bracketed] field with your own detail. The ROPA is a living document: review it whenever your processing changes and at least annually.
Controller details
- Name of controller: [Organisation name]
- Contact details: [address / email / phone]
- Data Protection Officer (if appointed): [name / contact]
- Joint controllers (if any): [names / contacts]
How to complete the record
For each processing activity, record the fields below. A simple table works well; the headings are listed here so you can build it in your own document or spreadsheet.
| Field | What to record |
|---|---|
| Activity name | [short name for the processing, e.g. “Care planning”] |
| Purpose of processing | [why you process this data] |
| Lawful basis (Article 6) | [e.g. contract / legal obligation / vital interests / legitimate interests / consent] |
| Special category condition (Article 9), if applicable | [e.g. provision of health/social care] |
| Categories of individuals | [e.g. service users, staff, next of kin] |
| Categories of personal data | [e.g. contact details, health records, financial data] |
| Special category / criminal offence data | [yes/no and which] |
| Source of the data | [e.g. collected directly, from GP, from local authority] |
| Recipients | [who you share it with, internal and external] |
| Processors | [suppliers processing on your behalf, with contract reference] |
| Transfers outside the UK | [country and safeguard, or “none”] |
| Retention period | [how long kept, linked to your retention schedule] |
| Security measures | [key technical and organisational controls] |
| Owner | [team or person responsible] |
Example row (delete before use)
- Activity name: Delivering care and support
- Purpose: Planning and providing care to service users
- Lawful basis: Contract; legal obligation
- Special category condition: Provision of health and social care
- Categories of individuals: Service users
- Categories of personal data: Contact details, care needs, health information, medication
- Recipients: GPs, district nurses, commissioning local authority
- Processors: [care planning software supplier], under written contract
- Transfers outside the UK: None
- Retention period: [X years after care ends], per retention schedule
- Security measures: Role-based access, encryption, staff training
Review
- Last reviewed: [date]
- Reviewed by: [name / role]
- Next review due: [date]
Want your ROPA completed accurately and mapped to your systems? We can build and maintain it with you as part of a fixed-fee engagement — see our data protection and GDPR service. For related background, see our information governance guides.