Record of Processing Activities · GDPR Article 30

RoPA software that keeps Article 30 records linked to the work behind them

Build, maintain and evidence your Article 30 register without living in a spreadsheet. Every record stays connected to the approved assessments, systems, suppliers, transfers and review history that justify it.

Owners, review dates, version control and audit-ready exports — for every processing activity, in every legal entity.

Acompli RoPA register screen showing Article 30 processing records, data category breakdown and record status overview.
The RoPA workflow

From first capture to ongoing maintenance

Each stage adds governance. By the time a record is published, it carries its source evidence, review history, and organisational scope — and stays tied to the assessment work that produced it.

01Choose approach
02Capture
03Draft
04Review
05Structure
06Report
07Maintain

Capture & link

Capture Article 30 fields from structured assessment work or import existing registers.

  • Assessment templates pre-tag DPIAs, LIAs and TIAs to Article 30 fields.
  • Excel, CSV and SharePoint imports bring legacy registers under control.
  • AI column mapping suggests field mapping and data types before commit.

Draft & extract

AI extracts and structures Article 30 information from approved assessments.

Confidence scores show what is complete and what needs review.

Review & structure

Review drafts in context, adjust values and approve before publication.

  • Linked context traces every field to the source assessment response.
  • Role-based approvals keep draft, review and published states controlled.
  • Version control shows what changed, who changed it and when.

Report & maintain

Keep records current as your business changes.

  • Regulator-ready exports support Article 30(1), 30(2), per-entity and provenance reports.
  • System and supplier updates propagate changes to affected records.
  • Transfer reviews safeguard renewal and expiry monitoring.

Detailed stage walkthrough

StartChoose your approach

Assessment-linked or import existing

Start from structured assessment work — where Article 30 fields are captured as assessments are completed — or import an existing register from Excel or CSV and move it into a more governed environment.

Teams already maintaining a spreadsheet can import with AI-assisted column mapping that suggests Article 30 field assignments. Preview before committing.

Assessment Templates

DPIAs, LIAs, TIAs — each template pre-tags which questions map to Article 30 fields.

Excel, CSV & SharePoint import

Import from an Excel document, CSV, or directly from SharePoint, OneDrive, or Google Drive. AI-powered column mapping suggests Article 30 field assignments.

AI Template Builder

Describe your processing activity — Acompli generates a tailored assessment with RoPA fields pre-tagged.

Article 30 lineage

Article 30 fields are assembled from governed sources

This shows the technical difference between a RoPA spreadsheet and a defensible register: purpose, lawful basis, recipients, transfers and retention stay linked to approved source records.

Technical infographic showing RoPA field lineage from DPIA, LIA, vendor, data map, location and retention sources into Article 30 published records.

Maintenance loop

A live register reopens when source facts change

This makes the maintenance problem visible: supplier updates, system changes, transfer safeguard expiry and new assessments all need to reopen the affected Article 30 records for review.

Technical infographic showing RoPA maintenance triggers, impact checks and affected records for vendor, system, transfer and assessment changes.

The Article 30 answer

What is Record of Processing Activities (RoPA) software?

RoPA software is the tool a privacy team uses to build, maintain and evidence the Records of Processing Activities required by Article 30 of the EU and UK GDPR. It replaces the static spreadsheet with governed records: each processing activity carries its purpose, data categories, data subjects, recipients, international transfers and safeguards, retention period, security measures and a named owner.

What separates RoPA software from a spreadsheet is provenance: Acompli treats the register as a living governance record where every field knows where it came from and who approved it. Approved assessments, supplier changes, data-mapping updates and transfer reviews feed it through controlled review workflows — so what the DPC or ICO inspects matches what the business actually does. For the full category guide, see RoPA software: what it is, how it works, and what to look for.

Key takeaways

  • A RoPA is legally required for almost every controller and processor — Article 30 of the EU GDPR (in Ireland via the Data Protection Act 2018) and of the UK GDPR. The under-250-employee exemption rarely applies in practice.
  • Keep it current and complete — to the DPC and ICO, a stale spreadsheet reads as weak accountability. Version control, named owners and approvals are what make the record defensible.
  • Records should stay connected to the systems, vendors, assessments, risks and retention decisions behind them, not copied between tools.
  • Multi-entity structure matters where one group spans several legal entities, countries or processing owners.
Demonstrate accountabilityShow how data is processed, why and where.
Save timeNo spreadsheets or manual reconciliation.
Reduce riskFewer gaps, fewer compliance surprises.
Audit-readyExports, provenance and audit trails built in.

What Acompli includes

What should RoPA software include?

A strong RoPA platform should make the record easier to maintain and easier to defend. Acompli focuses on multi-entity ownership, a structured processing directory, role-based collaboration, audit trails, exports, data-map linkage, and connections to DPIAs, TIAs, risk reviews and mitigation actions.

Last reviewed: 11 June 2026. Read the canonical answer surface: RoPA requirements guide for Ireland and the UK.

Primary sources

Multi-entity management

Separate records by legal entity, country, business unit or operating function while keeping group-level visibility.

Version control and review history

See what changed, who changed it, who approved it and when the record was last reviewed.

Audit trail and exports

Export regulator-ready records and keep evidence of review, approval and updates.

Data map and assessment linkage

Use systems, vendors, recipients, retention, purposes and approved assessments to keep processing records current.

Roles and permissions

Control who can edit, approve and publish records across entities, teams and operating roles.

Retention and transfer linkage

Keep retention decisions, Chapter V safeguards and transfer review dates attached to the records they affect.

Recent Article 30 and accountability updates

Regulatory signals that affect records of processing

Recent enforcement, transfer and accountability updates often come back to the same question: can the organisation show what it processes, why and where?

RoPA FAQ

RoPA questions answered

Short answers for Article 30, RoPA maintenance, format, DPIA linkage, imports, and processor records.

What is RoPA software?

RoPA software is the tool a privacy team uses to build, maintain and evidence the Records of Processing Activities required by Article 30 of the EU and UK GDPR. In Acompli, each processing activity is a governed record: its fields are drafted from approved assessments, reviewed and approved by a named owner, and exportable for a DPC or ICO audit with the version history attached.

How should you choose RoPA software?

Choose RoPA software by the quality of the register it maintains, not just by how it stores rows. For Irish and UK privacy teams, the tool should cover Article 30(1) controller records and Article 30(2) processor records on one platform, scope records by legal entity, preserve reviewer-attributed version history, show Chapter V transfers with linked Transfer Impact Assessments, and export records that stay traceable to the source assessment behind every field. Acompli is built for this: Article 30 fields are drafted from approved assessments and supplier records with a confidence score on each, a named owner reviews and approves before anything publishes, and the approval chain travels with the record.

What does RoPA automation software actually automate?

In Acompli, automation means the register maintains itself between reviews. Article 30 fields are drafted from approved DPIAs and supplier records with a confidence score on each extracted field, and when an upstream fact changes - a new assessment is approved, a supplier contract changes, a system is retired, a transfer safeguard is updated - the affected records surface in a review queue with the change that triggered them. A person approves every update; nothing publishes itself.

How does RoPA software help with GDPR Article 30?

It maintains both registers the law describes: Article 30(1) controller records and Article 30(2) processor records, each with the dedicated fields the DPC and ICO expect - purposes, data categories, recipients, international transfers and safeguards, retention and security measures. Acompli generates these reports per legal entity, by processing role, or across the whole programme, with every field traceable to the assessment that produced it.

What should RoPA software include?

Look for both Article 30(1) and 30(2) record types, legal-entity scoping, reviewer-attributed version history, a transfer view that holds Schrems II safeguards, links from each record to the assessments and suppliers behind it, and regulator-ready exports. Acompli also preserves an entity snapshot at approval time, so historical records reflect the organisational structure that existed when the activity was approved.

How is RoPA software different from a spreadsheet?

A spreadsheet stores what someone last typed; a governed register knows where every value came from. In Acompli each field carries its source assessment, extraction confidence and approval chain, every version is preserved, and records flag themselves for review when the business changes - the things a shared file cannot do, and the first things a DPC or ICO auditor asks about.

More detailed questions

Article 30 governance that keeps pace with the business

Acompli gives your register the governance process it needs to stay current — assessment-fed, review-governed, and structured for real operating models.