GDPR RoPA Requirements in Ireland and the UK: Compliance Guide and Best Practices
A Record of Processing Activities (RoPA) is the GDPR Article 30 register of how an organisation processes personal data. This guide compares Ireland and UK requirements, explains what a RoPA must contain, and shows how to keep the record current instead of treating it as a static spreadsheet.

What are the RoPA requirements in Ireland and the UK?
A Record of Processing Activities (RoPA) is required under Article 30 of the GDPR — the EU GDPR in Ireland, enforced by the Data Protection Commission (DPC), and the UK GDPR, enforced by the Information Commissioner's Office (ICO). Every controller and processor must keep a written record of its processing that covers the purposes, the categories of data subjects and personal data, recipients, international transfers, retention periods and security measures, and must produce it to the regulator on request. The two regimes are near-identical; the practical work is keeping one register current across both.
RoPA requirements at a glance:
- Legal basis: Article 30 of the EU GDPR (Ireland) and Article 30 of the UK GDPR — a legal obligation, not optional best practice.
- What it must contain: purposes of processing; categories of data subjects and personal data; recipients; third-country transfers and their safeguards; retention periods; and a description of the Article 32 security measures.
- Who must keep one: every controller and processor — the Article 30(5) under-250-employee exemption is narrow and rarely applies in full.
- Who can demand it: the Data Protection Commission (Ireland) and the Information Commissioner's Office (UK), on request.
What is a RoPA under GDPR Article 30?
Article 30 of the GDPR requires organisations to maintain a record of processing activities. While often treated as a static spreadsheet created during a compliance sprint and then forgotten, the RoPA is intended to be a living document. It describes the "who, what, where, when, and why" of data processing.
For organisations operating across the UK and Ireland, the dual regime of UK GDPR and EU GDPR creates a need for careful orchestration, although the core requirements remain largely harmonised.
Is a RoPA a legal obligation?
Yes. Maintaining a RoPA is a legal obligation, not an optional best practice. Article 30 of the EU GDPR (which applies in Ireland) and Article 30 of the UK GDPR both require controllers and processors to keep records of their processing activities. The only relief is the narrow Article 30(5) exemption for some organisations with fewer than 250 employees, and it rarely applies in full because most employee, customer, marketing, and supplier processing is recurring rather than occasional.
- Who it binds: every controller and processor — in Ireland under the EU GDPR and in the UK under the UK GDPR.
- Who can ask to see it: the Data Protection Commission (DPC) in Ireland and the Information Commissioner's Office (ICO) in the UK can request the record, so it must be kept current and produced promptly.
- The exemption is narrow: the Article 30(5) under-250-employee relief falls away for risky, non-occasional, or special-category processing.
Which sources define RoPA requirements?
The primary legal source is Article 30 of Regulation (EU) 2016/679. In Ireland, the Data Protection Commission publishes Records of Processing guidance for Article 30. In the UK, the ICO explains what organisations need to document under Article 30 of the UK GDPR. This guide uses those sources as the reference point for the answers below.
- GDPR Article 30 text
- Data Protection Commission Article 30 guidance
- ICO Article 30 documentation guidance
RoPA template: what fields should it include?
Search demand around RoPA is heavily template-led: teams want to know what the record should contain before deciding whether a spreadsheet is enough. The ICO separates controller and processor records, and Article 30 uses different field lists for each role.
Download an enterprise RoPA template workbook
Use this workbook as a starting point for controller and processor records. It includes separate tabs, Article 30 fields, example rows, review ownership, retention, transfer safeguards, security-measure columns, lookups, and a review log.
| Controller RoPA fields | Processor RoPA fields |
|---|---|
| Controller, DPO, representative, and joint-controller contact details. | Processor, DPO, representative, each controller, and controller representative contact details. |
| Purposes of processing and the categories of data subjects and personal data. | Categories of processing carried out on behalf of each controller. |
| Categories of recipients, including processors and other organisations receiving the data. | Third-country or international-organisation transfers, where applicable. |
| Third-country transfers, safeguards, retention schedules, and security measures. | Applicable transfer safeguards and a general description of technical and organisational security measures. |
What counts as a processing activity?
The most common RoPA implementation problem is granularity. A processing activity is not every individual processing operation, but it should not be so broad that legal basis, retention, recipients, and risk become impossible to assess. Useful entries usually describe a business process or operational purpose.
Examples include recruitment candidate screening, employee payroll, customer support ticket handling, newsletter marketing, fraud monitoring, supplier onboarding, access-control logging, and product analytics. For each activity, the record should explain why personal data is used, whose data is involved, what categories of data are processed, who receives it, where it is transferred, and how long it is kept.
Can small organisations rely on the 250-person exemption?
Article 30(5) contains a limited exemption for organisations with fewer than 250 employees, but the exemption falls away where processing is likely to create risk, is not occasional, or involves special-category or criminal-offence data. In practice, many smaller organisations still need records because employee, customer, marketing, payroll, website analytics, and supplier processing are usually recurring rather than occasional.
Is an Excel RoPA enough?
A spreadsheet can meet the basic format requirement if it contains the Article 30 fields and can be kept accurate. It becomes fragile when the organisation needs entity scoping, controller and processor records, version history, review approvals, supplier links, transfer safeguards, and evidence showing why each field is correct.
Acompli's position is not that spreadsheets are invalid. The issue is control: once a RoPA becomes part of a wider governance process, the record should update from source evidence such as assessments, supplier reviews, data maps, and transfer checks rather than being manually reconciled after the fact.
Comparative Analysis: UK vs. Ireland (EU)
The Article 30 content requirements are effectively identical under EU GDPR (Ireland) and UK GDPR — the same purposes, categories, recipients, transfers, retention and security fields. What differs is the supervisory authority, the maximum penalty, the guidance and template style, and the post-Brexit divergence now under way through the UK's Data (Use and Access) Act 2025.
| Aspect | Ireland (EU GDPR) | United Kingdom (UK GDPR) |
|---|---|---|
| Legal basis | Article 30, EU GDPR (Regulation (EU) 2016/679) | Article 30, UK GDPR, with the Data Protection Act 2018 |
| Supervisory authority | Data Protection Commission (DPC) | Information Commissioner's Office (ICO) |
| Article 30 content fields | Purposes, data-subject and data categories, recipients, transfers, retention, security measures | Identical fields |
| Under-250-employee exemption | Article 30(5) — narrow; falls away for non-occasional or risky processing, or special-category / criminal-offence data | Same Article 30(5) test |
| Maximum administrative fine | Up to €20 million or 4% of global annual turnover (higher tier, Article 83(5)) | Up to £17.5 million or 4% of global annual turnover (DPA 2018, s.157) |
| Guidance style | DPC expects high granularity per processing activity | ICO offers simplified templates for SMEs |
| Recent divergence | EU GDPR baseline (with EDPB guidance) | Reform under the Data (Use and Access) Act 2025 |
1. The Data Protection Commission (DPC) Ireland
As the lead supervisory authority for many major tech firms, the Irish DPC sets a high bar for granularity. A cursory RoPA listing "Marketing" as a single line item is rarely sufficient. The DPC expects to see distinct entries for email newsletters, tracking cookies, lookalike audiences, and loyalty programs, each with their own lawful basis and retention period.
2. The Information Commissioner's Office (ICO) UK
The ICO has historically taken a pragmatic approach, offering simplified templates for SMEs. The requirement for accuracy, however, remains absolute, and the Article 30 record-keeping standard continues to apply under UK GDPR. (The UK's framework has since moved on under the Data (Use and Access) Act 2025 — see the 2026 regulatory developments below.)
Common Pitfalls in RoPA Maintenance
The "Snapshot" Syndrome
Most RoPAs are accurate only on the day they are signed off. As products evolve, vendors are swapped, and retention policies drift, the RoPA fossilises. A stale RoPA is a liability during a breach investigation, as it indicates a lack of visibility.
Granularity Mismatch
Too high-level ("HR Data"), and it's useless for risk assessment. Too granular ("John Smith's CV"), and it becomes unmanageable. The sweet spot is the "Processing Activity"—a distinct business process like "Recruitment Candidate Screening" or "Employee Payroll Administration."
2026 Regulatory Developments
UK: Data Use and Access Act 2025 and ICO guidance under review
The UK's Data Protection and Digital Information Bill (DPDI) fell with the dissolution of Parliament in 2024. The Data (Use and Access) Act 2025 is now in force, and the ICO flags its UK GDPR documentation guidance as under review. Until the ICO changes that guidance, organisations operating under UK GDPR should continue to maintain Article 30 controller and processor records using the ICO's published field lists.
Ireland and EU: DPC Enforcement Signals
The DPC continues to function as the lead supervisory authority for major cross-border processors established in Ireland. In 2025 and early 2026, DPC enforcement actions against TikTok (€530m, data transfers) and investigations into AI training data practices have reinforced the expectation that RoPA entries must reflect actual international transfer mechanisms, including supplementary measures and Transfer Impact Assessments. The EDPB's 2026–2027 Work Programme includes a dedicated workstream on AI and data protection, which may produce guidance intersecting with Article 30 obligations — particularly around documenting AI-based processing purposes and the legal bases relied upon.
EU AI Act Intersection with Article 30
The EU AI Act, which entered into force in August 2024 with phased application dates through 2026 and 2027, introduces conformity assessment obligations for high-risk AI systems. Where an AI system processes personal data, the GDPR's Article 30 obligations apply in parallel. Organisations deploying high-risk AI should ensure their RoPA entries document: the specific AI system and its provider, the categories of personal data used for training or inference, the legal basis for AI-driven processing, and any automated decision-making within the meaning of Article 22 GDPR. For how these obligations apply on the Irish and UK timeline, see our EU AI Act in Ireland guide and the EU AI Act compliance module. The governance-first approach to AI compliance that Acompli advocates is designed to capture these intersections systematically.
German Market: BDSG Jurisdiction Overlay
For organisations subject to the German Federal Data Protection Act (BDSG) alongside EU GDPR, Article 30 compliance involves additional jurisdiction-specific requirements. These include structured Löschkonzept (deletion concepts) per data category, DSK-categorised technical and organisational measures (TOMs), and Betriebsrat (works council) consultation tracking. Acompli provides a dedicated German RoPA jurisdiction overlay that activates these additional fields when a processing activity is scoped to a German supervisory authority, producing a seven-sheet Verzeichnis export structured for BfDI or Landesbehörde review.
From Static Register to Dynamic Output
At Acompli, we treat the RoPA not as a form to be filled, but as a downstream output of the operational work being done. The RoPA management module generates Article 30 entries directly from approved assessments, linking each field back to its source evidence.
By generating RoPA entries directly from approved Data Protection Impact Assessments (DPIAs), the record remains synchronised with the reality of the business. When a project updates its data retention settings in a DPIA, the RoPA should surface that change for DPO approval. This “single source of truth” approach prevents the drift that plagues manual spreadsheets.
Conclusion
Whether reporting to the ICO in London or the DPC in Dublin, the principle remains the same: you cannot protect what you cannot see. A dynamic, DPIA-fed RoPA is the most effective way to maintain that visibility at scale.
RoPA requirements FAQ
What is a RoPA under GDPR Article 30?
A Record of Processing Activities (RoPA) is the Article 30 register of how an organisation processes personal data. It records processing purposes, categories of data subjects and personal data, recipients, international transfers, retention periods, security measures, and whether the organisation acts as controller or processor.
Is a RoPA a legal obligation in Ireland and the UK?
Yes. Maintaining a RoPA is a legal obligation under Article 30 of the EU GDPR in Ireland and Article 30 of the UK GDPR in the UK. Both require controllers and processors to keep records of processing activities unless the narrow Article 30(5) exemption applies.
What are the RoPA requirements in Ireland and the UK?
Under Article 30 of the EU GDPR (Ireland, enforced by the DPC) and Article 30 of the UK GDPR (enforced by the ICO), controllers and processors must keep records of processing activities covering the same core fields: purposes, categories of data subjects and personal data, recipients, international transfers, retention periods, and technical and organisational security measures. The content requirements are effectively identical; what differs is the supervisory authority, the maximum fine (up to €20 million or 4% of global annual turnover in Ireland; up to £17.5 million or 4% in the UK), the guidance and template style, and post-Brexit divergence under the UK's Data (Use and Access) Act 2025. The narrow Article 30(5) under-250-employee exemption applies in both, but falls away for non-occasional processing, processing likely to risk individuals' rights, or special-category and criminal-offence data.
Who should complete and maintain a RoPA?
The controller or processor is responsible for maintaining the RoPA, usually with input from privacy, legal, security, IT, HR, procurement, and business process owners. The practical owner is often the DPO, privacy lead, or compliance team, but the record depends on operational evidence from across the organisation.
What must a RoPA contain?
A controller RoPA must record details such as controller contact information, processing purposes, data categories, categories of recipients, international transfers, retention periods, and technical and organisational security measures. Processor records have their own Article 30(2) fields.
What is the difference between a RoPA and a DPIA?
A RoPA is the organisation-wide Article 30 register of processing activities. A DPIA is the Article 35 risk assessment for specific processing that is likely to result in high risk. The RoPA maps processing; the DPIA examines risk and mitigation for higher-risk processing.
Do organisations outside Europe need a RoPA?
A non-European organisation may need Article 30 records if EU GDPR or UK GDPR applies to its processing, for example because it offers goods or services to people in the EU or UK or monitors their behaviour. Local laws outside Europe may also impose equivalent record-keeping duties.
Is there a RoPA template or example?
Yes. A useful RoPA template should separate controller and processor records and include the Article 30 fields: purposes, data categories, data subjects, recipients, transfers, retention periods, and security measures. Acompli provides an enterprise-ready Excel workbook and a CSV fallback on this guide, but the template is only useful if it stays current when systems, suppliers, or processing purposes change.
Can a RoPA be kept in Excel?
Yes. GDPR does not require a specific format, and many organisations start with Excel. The risk is maintenance: spreadsheets become hard to govern once records span multiple entities, processors, systems, transfers, and review cycles.
What counts as a processing activity in a RoPA?
A processing activity is usually a business process or operational purpose involving personal data, such as recruitment, payroll, customer support, newsletter marketing, fraud monitoring, or supplier management. It should be specific enough to support legal basis, retention, recipients, and risk review.
Does a RoPA need to include international transfers?
Yes, where applicable. Article 30 records should document transfers to third countries or international organisations and the safeguards used for those transfers, such as adequacy decisions, standard contractual clauses, or other applicable mechanisms.
Market-specific questions (Deutschland / France / Nederland)
Ist ein Verzeichnis von Verarbeitungstätigkeiten (VVT) in Deutschland gesetzlich vorgeschrieben?
Ja. Artikel 30 DSGVO verpflichtet Verantwortliche und Auftragsverarbeiter zur Führung eines Verzeichnisses von Verarbeitungstätigkeiten (VVT); in Deutschland wird dies durch das BDSG ergänzt. Die Ausnahme nach Art. 30 Abs. 5 für Unternehmen mit weniger als 250 Beschäftigten greift in der Praxis selten, weil regelmäßige oder risikobehaftete Verarbeitung sowie besondere Datenkategorien davon ausgenommen sind. Die zuständige Aufsichtsbehörde (BfDI oder die jeweilige Landesbehörde) kann das VVT jederzeit anfordern; die Datenschutzkonferenz (DSK) stellt dazu einheitliche Hinweise und Musterformulare bereit (Kurzpapier Nr. 1).
Was muss ein VVT nach Artikel 30 DSGVO enthalten?
Ein VVT des Verantwortlichen muss unter anderem die Zwecke der Verarbeitung, Kategorien betroffener Personen und personenbezogener Daten, Empfänger, Drittlandsübermittlungen mit ihren Garantien, Löschfristen und die technischen und organisatorischen Maßnahmen nach Art. 32 enthalten. Auftragsverarbeiter führen ein eigenes Verzeichnis nach Art. 30 Abs. 2. Acompli bildet diese Felder strukturiert ab, mit Versionskontrolle, Freigaben und einem prüffähigen Nachweis für die Aufsichtsbehörde.
Wie sollten Unternehmen VVT- bzw. RoPA-Software vergleichen?
Bewerten Sie die vollständige Abdeckung der Artikel-30-Felder für Verantwortliche und Auftragsverarbeiter, die Mandantenfähigkeit für mehrere Rechtseinheiten, die Versionshistorie mit Prüfer-Zuordnung, die Verknüpfung zu DSFA und Transfer-Folgenabschätzung sowie aufsichtsfertige Exporte. Acompli verbindet das VVT mit den zugrunde liegenden Bewertungen und Systemen, sodass das Verzeichnis die tatsächliche Verarbeitung abbildet; KI unterstützt die Entwürfe, ein Mensch gibt jeden Eintrag frei.
Le registre des activités de traitement est-il obligatoire en France?
Oui. L'article 30 du RGPD impose aux responsables de traitement et aux sous-traitants de tenir un registre des activités de traitement. La CNIL met à disposition un modèle et rappelle que la dérogation de l'article 30(5) pour les organismes de moins de 250 personnes est très limitée, car le traitement régulier, à risque ou portant sur des données sensibles en est exclu. La CNIL peut demander le registre à tout moment lors d'un contrôle.
Que doit contenir un registre RGPD au titre de l'article 30?
Le registre du responsable doit notamment indiquer les finalités, les catégories de personnes et de données, les destinataires, les transferts hors UE et leurs garanties, les durées de conservation et les mesures techniques et organisationnelles de l'article 32. Le sous-traitant tient son propre registre au titre de l'article 30(2). Acompli structure ces champs avec un historique de versions, des validations et un export prêt pour la CNIL.
Comment comparer les logiciels de registre des traitements?
Comparez la couverture complète des champs de l'article 30 (responsable et sous-traitant), la gestion multi-entités, l'historique des versions avec attribution du relecteur, le lien avec les AIPD et les analyses d'impact des transferts, et les exports prêts pour un contrôle. Acompli relie le registre aux évaluations et systèmes sous-jacents pour qu'il reflète le traitement réel ; l'IA assiste la rédaction et un humain valide chaque entrée.
Is een verwerkingsregister verplicht in Nederland?
Ja. Artikel 30 AVG verplicht verwerkingsverantwoordelijken en verwerkers om een register van verwerkingsactiviteiten bij te houden. De Autoriteit Persoonsgegevens (AP) wijst erop dat de uitzondering van artikel 30(5) voor organisaties met minder dan 250 medewerkers in de praktijk beperkt is, omdat structurele of risicovolle verwerking en bijzondere categorieën persoonsgegevens zijn uitgesloten. De AP kan het register bij een controle opvragen.
Wat moet een verwerkingsregister onder artikel 30 bevatten?
Het register van de verwerkingsverantwoordelijke bevat onder meer de verwerkingsdoeleinden, de categorieën betrokkenen en persoonsgegevens, de ontvangers, doorgiften naar derde landen met hun waarborgen, de bewaartermijnen en de technische en organisatorische maatregelen van artikel 32. De verwerker houdt een eigen register bij op grond van artikel 30(2). Acompli legt deze velden gestructureerd vast, met versiebeheer, goedkeuringen en een controleklare export.
Hoe vergelijk je verwerkingsregister-software?
Vergelijk op volledige dekking van de artikel 30-velden (verantwoordelijke en verwerker), ondersteuning voor meerdere juridische entiteiten, versiehistorie met reviewer-toewijzing, koppeling met DPIA's en transfer-impactanalyses, en exports die klaar zijn voor een controle door de AP. Acompli verbindt het register met de onderliggende beoordelingen en systemen zodat het de werkelijke verwerking weergeeft; AI ondersteunt de concepten en een mens keurt elke vermelding goed.