ROPA Template

Article 30 of the UK GDPR requires most controllers and processors to maintain a Record of Processing Activities (ROPA). It is an internal document. The ICO can request to see it, but it is not published. It is the working evidence that the organisation knows what personal data it processes and why.

Why the ROPA matters more than it looks

The discipline of completing the ROPA the first time is often more valuable than the document itself, because it surfaces processing activities the organisation had forgotten about.

A ROPA that is up to date is a sign of a functioning data protection programme; one that is not is the opposite.

The template provides the structure: processing activities, purposes, lawful bases, categories of data subject, categories of personal data, recipients, retention periods, and security measures.

Example: a typical scope and fixed fee

For a UK business needing a working ROPA, the typical scope looks like this.

What's included

• A consultation to understand your data processing activities
• A ROPA template pre-populated with your key processing activities, data categories, lawful bases, and retention periods
• Guidance notes on how to maintain and update the ROPA going forward

What's outside this scope

• Ongoing ROPA maintenance
• Data protection officer services
• Tax advice

Fixed fee: £295, no VAT.

How I will approach your matter

Once you have instructed me, I will take the time to understand your data processing activities and pre-populate the template with your key processing activities, data categories, lawful bases, and retention periods. You will receive guidance notes on how to maintain and update the ROPA going forward.