RoPA Management

Article 30 records that stay current without a reconciliation exercise

Assessment approvals feed the register. Reviews govern what gets published. Changes propagate when systems, suppliers, or transfers move. Your Article 30 records reflect operational reality — kept current by assessment approvals, review governance, and change propagation.

Acompli ROPA Management Brochure — page 1

View Brochure

The RoPA workflow

From first capture to ongoing maintenance

Each stage adds governance. By the time a record is published, it carries its source evidence, review history, and organisational scope — and stays tied to the assessment work that produced it.

StartChoose your approach

Assessment-linked or import existing

Start from structured assessment work — where Article 30 fields are captured as assessments are completed — or import an existing register from Excel or CSV and move it into a more governed environment.

Teams already maintaining a spreadsheet can import with AI-assisted column mapping that suggests Article 30 field assignments. Preview before committing.

Assessment Templates

DPIAs, LIAs, TIAs — each template pre-tags which questions map to Article 30 fields.

Excel / CSV Import

AI-powered column mapping analyses your headers and suggests Article 30 field assignments.

AI Template Builder

Describe your processing activity — Acompli generates a tailored assessment with RoPA fields pre-tagged.

01Capture

Gather Article 30 fields through structured questions

Assessment templates are configured so the relevant Article 30 information is captured as part of the assessment workflow.

Each question can be tagged to one or more Article 30 fields at template level. When assessors answer questions about legal basis, data categories, retention, recipients, and transfers, those responses become the source material for draft RoPA records.

Legal basisArt. 6 lawful basis and Art. 9 conditions for special categories

Data categoriesPersonal data types processed, including special categories

RecipientsCategories of recipients including processors and third countries

Retention periodsEnvisaged time limits for erasure of different data categories

TransfersInternational transfers and safeguards under Art. 49

Security measuresTechnical and organisational measures under Art. 32

02Draft

Approved assessments become draft RoPA records

Once an assessment is completed and approved, a multi-phase AI extraction pipeline analyses the responses and maps them to Article 30 fields. Each field receives a confidence score indicating extraction quality.

Draft records are prepared as outputs for review — not treated as final by default. Every extracted field links back to the source assessment response for traceability, so reviewers can see exactly where each value came from.

Draft RoPA — Employee Monitoring System

Processing purposeHigh

Lawful basis (Art. 6)High

Data categoriesHigh

Retention periodsMedium

Recipients & processorsLinked

International transfersHigh

Security measures (Art. 32)Medium

Extraction →Multi-phase pipeline maps assessment responses to Article 30 fields with per-field confidence

03Review

Review before anything reaches the register

Draft records enter a dedicated review queue. Reviewers can trace every field back to the assessment response that produced it, adjust values, and approve or request changes before anything is added to the published register.

Changes, review actions, and approvals are recorded so teams can see how a record reached its current form. Only authorised users can approve records for publication, supporting a clearer governance process.

Linked assessment context

Every extracted field traces to the source question and response — reviewers see the evidence, not just the value.

Controlled approval

Only authorised users can approve records for publication. Draft, review, and published states are formally tracked.

Audit trail

Every change, review action, and approval is recorded — see how any record reached its current form.

Record lifecycle

DraftIn ReviewPublishedArchived

04Structure

Entity-scoped records for real operating structures

Processing activities can be scoped by legal entity and operating role — controller, joint controller, processor, or sub-processor — rather than forced into a single flat register.

Organisations that act in both controller and processor capacities can maintain both from a single register. Controller snapshots preserve entity details at the time of approval for historical accuracy.

Legal entity scoping

Activities managed per legal entity. Multi-entity organisations maintain separate registers under a single programme.

Controller and processor roles

Maintain Article 30(1) controller records and Article 30(2) processor records with dedicated fields for each.

Controller snapshots

Entity details preserved at approval time. Historical records reflect the organisational structure when the activity was approved.

05Report

Regulator-ready Article 30 reports on demand

Generate Article 30 reports per entity, by processing role, or across the full programme. Export filtered records when needed for audit, governance reviews, or supervisory authority queries.

Reports are generated from a maintained register with full provenance. Each entry carries its source assessment, extraction confidence, and approval chain.

Controller

Article 30(1) report

Full controller register — purposes, legal bases, categories, recipients, transfers, retention, and security measures.

Processor

Article 30(2) report

Processor register — categories of processing, transfers, and security measures for each controller relationship.

Entity

Per-entity export

Filtered by legal entity for organisations operating across multiple jurisdictions and structures.

Audit

Provenance report

Trace each field to its source assessment, extraction confidence, reviewer actions, and approval chain.

06Maintain

Records update when the business does

When a new assessment is approved, a supplier contract changes, a system is retired, or a transfer safeguard is updated, affected RoPA entries surface for review as changes occur.

Configurable review cycles flag records approaching their review date. When upstream changes affect a published entry, Acompli surfaces it in the review queue with the specific change that triggered it. Every version is preserved, so teams can trace how a record evolved over time.

RoPA

New assessments

System changes

Supplier updates

Transfer reviews

Article 30 governance that keeps pace with the business

Acompli gives your register the governance process it needs to stay current — assessment-fed, review-governed, and structured for real operating models.

Get started →Book a walkthrough