RoPA Software

RoPA Software

AAcompli ResearchUpdated June 202611 min read

RoPA software is the tool a privacy team uses to build, maintain and evidence the Article 30 Records of Processing Activities required by the EU and UK GDPR. The best RoPA software does more than store the register — it derives each entry from approved assessments, records where every value came from, and keeps a named human accountable for every change. That distinction — storage versus provenance — is what separates a tool that passes a demo from one that holds up when a supervisory authority asks to see the record. This guide covers what RoPA software is, why it is a legal requirement, how it actually works, and the criteria that matter when you choose one.

Key takeaways

  • A RoPA is a legal obligation under Article 30 of the EU and UK GDPR; Article 30(1) lists seven mandatory content elements for controllers and Article 30(2) a parallel set for processors.
  • The under-250-employee exemption (Article 30(5)) rarely applies in full — it falls away the moment processing is non-occasional or touches special-category or criminal-offence data.
  • The real test of RoPA software is provenance, not storage: can it show where each value came from, who approved it, and what changed — the questions a DPC or ICO audit asks.
  • The strongest tools keep the register true between reviews by deriving it from approved assessments and surfacing records when the business changes, with a per-transfer Chapter V view after Schrems II (C-311/18).

What is RoPA software?

RoPA software manages the Record of Processing Activities — also called a data processing register, a processing activities register, or simply an Article 30 register — that the GDPR requires every controller and most processors to keep. A spreadsheet can list processing activities, but it stores only what someone last typed. RoPA software treats each activity as a governed record: it carries its purpose, the categories of data and data subjects, recipients, international transfers and safeguards, retention period, security measures and a named owner — and it knows where each of those values came from.

That provenance is the point. When the Data Protection Commission (DPC) in Ireland or the Information Commissioner's Office (ICO) in the UK asks to see the register, the question is not “do you have a document” but “can you show this is true, current, and accountable.” Acompli treats the RoPA as a living governance record rather than a file: approved assessments, supplier changes and transfer reviews feed it through controlled review workflows, so what a regulator inspects matches what the business actually does.

Why do you need RoPA software?

A RoPA is not optional documentation — it is a legal obligation. Article 30 of the EU GDPR (applied in Ireland through the Data Protection Act 2018) and of the UK GDPR requires the record, and Article 5(2) accountability means you must be able to produce it, current and complete, on request. The widely-assumed exemption for organisations under 250 employees (Article 30(5)) rarely applies in practice: it disappears the moment processing is non-occasional — which payroll, customer management and marketing all are — or involves special-category or criminal-offence data.

The reason to use software rather than a spreadsheet is maintenance. A spreadsheet is accurate the day it is written and drifts from then on; a stale register reads to a regulator as weak accountability, not as compliance. RoPA software keeps the record current between reviews, preserves the version history that shows how it got there, and produces the regulator-ready export an audit expects.

How does RoPA software work?

The strongest RoPA software makes the register a downstream output of work you already do, rather than a separate data-entry chore. In Acompli the pipeline runs in four governed stages:

  • Capture: Article 30 fields are gathered through structured assessment questions (DPIAs, LIAs, vendor reviews) tagged to the relevant register fields.
  • Draft: once an assessment is approved, a multi-phase AI extraction pipeline maps the responses to Article 30 fields, with a confidence score on each field and a link back to the source response.
  • Review: draft records enter a review queue where a named person can trace every field to its evidence, then approve, edit or reject it before anything is published.
  • Maintain: when an upstream fact changes — a new assessment, a supplier contract, a retired system, an updated transfer safeguard — the affected records surface for review with the change that triggered them.

This is the honest meaning of “RoPA automation”: automation reduces the typing and the chasing, not the accountability. The AI drafts, classifies and surfaces; a person approves every record, and nothing publishes itself. (See RoPA automation: what it should and shouldn't automate.)

What should RoPA software include?

Whatever the vendor, score a tool against what a supervisory-authority inspection actually tests — not how slick the form looks. The criteria that matter:

  • Full Article 30(1) and 30(2) coverage — both controller and processor record types, with the dedicated fields each requires.
  • Legal-entity scoping — separate records by entity, country and business unit while keeping group-level visibility, with an entity snapshot preserved at approval time.
  • Evidence traceability — every field links back to the assessment, contract or system that produced it, so a claim can be substantiated, not just asserted.
  • Reviewer-attributed version history — what changed, who changed it, who approved it, and when.
  • A Chapter V transfer view — per transfer, the mechanism (SCCs, adequacy, derogation), the linked Transfer Impact Assessment and supplementary measures, after Schrems II (C-311/18).
  • A self-contained export — a record the DPC or ICO can read without a login to your platform.
  • Jurisdiction overlays as a rigour signal — the ability to distinguish EU GDPR, UK GDPR (and, where relevant, the German BDSG) correctly on one register is granularity a single-regime tool cannot claim.

For a structured side-by-side of the tool categories against these criteria, see RoPA software compared: what to look for.

Key capabilities to expect

  • Centralised Article 30(1)/(2) records — one governed register for controller and processor activities.
  • Lawful-basis & retention documentation — Article 6/9 basis and envisaged retention captured per activity.
  • Schrems II transfer visibility — each transfer linked to its Chapter V safeguard and TIA.
  • Reviewer-attributed version history — a defensible change and approval trail.
  • Audit-ready exports — self-contained records for a DPC or ICO request.
  • Source-evidence traceability — every field linked to the assessment that produced it.

Who needs RoPA software?

Any organisation that processes personal data on more than an occasional basis needs a RoPA, and in practice that is almost all of them. Controllers need an Article 30(1) record; processors need an Article 30(2) record for the processing they carry out on behalf of each controller. Smaller organisations are not meaningfully exempt — the Article 30(5) carve-back is narrow — and larger groups need entity-scoped records so each subsidiary can answer its own supervisory authority. RoPA software scales that from a single entity to a multi-entity group on one register. See the Acompli RoPA management module for how the register works in the platform, and the RoPA requirements guide for Ireland and the UK for the underlying legal detail.

Common questions about RoPA software

What is Record of Processing Activities (RoPA) software?

RoPA software is the tool a privacy team uses to build, maintain and evidence the Records of Processing Activities required by Article 30 of the EU and UK GDPR. Rather than store the register in a spreadsheet, it treats each processing activity as a governed record — with its purposes, data categories, recipients, transfers, retention and security measures — and keeps a named owner accountable for every change. In Acompli, those records are derived from approved assessments and stay traceable to the evidence behind them.

Why do businesses need RoPA software?

Almost every organisation needs a RoPA because Article 30 of the EU and UK GDPR makes it a legal obligation, and a supervisory authority can request the record on demand. RoPA software keeps that record current and audit-ready instead of relying on a spreadsheet that drifts out of date between reviews — which a regulator reads as weak accountability under Article 5(2).

How does RoPA software work?

Good RoPA software turns the register into a downstream output of work you already do. In Acompli, approved assessments (DPIAs, LIAs, vendor reviews) are read by a multi-phase AI extraction pipeline that drafts Article 30 fields with a confidence score and a link back to the source response; a named reviewer approves, edits or rejects each draft before it reaches the published register. The AI drafts and classifies; a person approves — nothing publishes itself.

What features make the best RoPA software?

Score tools on what a supervisory-authority inspection actually tests: full Article 30(1) controller and 30(2) processor field coverage, legal-entity scoping for groups, evidence traceability from each field back to its source assessment, reviewer-attributed version history, a Chapter V transfer view that holds the Schrems II safeguards, and a self-contained export the regulator can read without logging into your platform. A tool that only exports a flat spreadsheet passes a demo and fails an audit.

What is the difference between RoPA software and a spreadsheet?

A spreadsheet stores what someone last typed; a governed register knows where every value came from. RoPA software keeps each field's source assessment, extraction confidence and approval chain, preserves every version, and surfaces records for review when the business changes — the things a shared file cannot do, and the first things a DPC or ICO auditor asks about.

Is RoPA software the same as a data processing register or an Article 30 register?

Yes — a RoPA register, a data processing register, a processing activities register and a GDPR Article 30 register are all names for the same record that Article 30 requires. RoPA software is the tool that maintains it as a governed register rather than a static file.

Is RoPA software suitable for organisations of all sizes?

Yes. Organisations of every size need a RoPA because the Article 30(5) under-250-employee exemption rarely applies in full — most employee, customer and supplier processing is recurring rather than occasional, and any special-category or criminal-offence data removes the relief. Acompli scopes the register from a single legal entity up to a multi-entity group, with per-entity exports so each subsidiary can answer its own supervisory authority.

Does RoPA software handle both controller and processor registers?

It should. Article 30(1) requires a controller record and Article 30(2) requires a parallel processor record with its own fields. Acompli maintains both record types on one platform, scoped by legal entity and operating role (controller, joint controller, processor, sub-processor), and preserves an entity snapshot at approval time so historical records reflect the structure that existed when the activity was approved.

Primary sources

  1. GDPR Article 30 (EUR-Lex, Regulation (EU) 2016/679)
  2. DPC — Records of Processing (Article 30) Guidance
  3. ICO — What do we need to document under Article 30?

Related research

RoPA Software Compared

How to choose an Article 30 tool — the criteria a supervisory-authority inspection tests.

Read article →

RoPA Requirements: Ireland & UK

Article 30 requirements under the EU and UK GDPR, with the DPC and ICO compared.

Read article →

Article 30 (RoPA) Template

The mandatory controller and processor fields, as a usable Article 30 template.

Read article →

See also: RoPA Management module · How to create a RoPA · RoPA examples · Assessments

Book a RoPA software demo →