UK GDPR fundamentals · Article 30

Records of Processing Activities (ROPA)

Updated April 2026UK GDPR Article 30ICO aligned

The Article 30 Record of Processing Activities is the primary accountability document under UK GDPR — an internal inventory of every processing activity carried out by an organisation. It is typically the first document the ICO requests in any investigation. Without it, demonstrating accountability is nearly impossible.

How to read this guide. This guide explains statutory requirements and regulatory expectations derived from UK GDPR, DPA 2018, and ICO published guidance. It does not determine compliance in any specific case. Where we write “UK GDPR requires” we cite statute. Where we write “the ICO expects” or “the ICO has indicated” we cite regulatory guidance, which is not identical to a statutory obligation. Both matter — but they are different things.

What the ROPA is

The Record of Processing Activities (ROPA) is a documented inventory of every processing activity carried out by an organisation. Article 30 of UK GDPR requires controllers to maintain this record in writing. It is not a public document but must be made available to the ICO on request. An organisation that cannot produce a ROPA, or that produces one clearly out of date, is demonstrating that accountability has not been taken seriously.

Source: UK GDPR Article 30; ICO accountability guidance

Who must maintain a ROPA

Article 30(5) provides a partial exemption for organisations with fewer than 250 employees — they are not required to maintain a ROPA unless processing is likely to result in risk to rights and freedoms, the processing is not occasional, or it includes special category or criminal conviction data. In practice, most organisations processing employee, customer, or any non-ad-hoc data fall outside this exemption. The ICO recommends all organisations maintain a ROPA regardless of size.

What the ROPA must contain

For controllers, Article 30(1) requires the ROPA to contain: the name and contact details of the controller and DPO (where applicable); the purposes of the processing; a description of categories of data subjects and personal data; the categories of recipients; details of transfers to third countries; the envisaged time limits for erasure; and a general description of technical and organisational security measures. The lawful basis for each processing activity should also be documented.

Source: UK GDPR Article 30(1)

The ROPA is typically the first document the ICO requests. An organisation that cannot produce one promptly is already demonstrating an accountability failure.

Processor ROPA

Organisations acting as data processors must maintain a separate ROPA under Article 30(2) for processing carried out on behalf of each controller, including the controller’s details, categories of processing performed, and security measures. Organisations that are both controllers and processors must maintain two separate records.

Format and maintenance

The ROPA must be kept up to date. When processing activities change — new systems, new third parties, new purposes — the ROPA must be updated. A ROPA that accurately reflected processing two years ago but has not been reviewed since is not compliant. At minimum, an annual review is recommended with ad hoc updates when changes occur.

Record this. Maintain the ROPA, date each entry and update, and keep previous versions. The ICO will use gaps or inaccuracies in the ROPA as evidence of accountability failures.

Not legal advice. This guide is derived from UK GDPR (Data Protection Act 2018 / DUAA 2025) and ICO published guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.