GDPR · Article 30

The ROPA template you actually keep up to date.

Free and aligned to Article 30. Plus the live version, for when the spreadsheet starts drifting from how the business really processes data.

Download free template (CSV) Build it live in ROPAi →
Article 30(1) & 30(2) UK & EU GDPR Six pre-filled examples
Quick refresher

It's the written log of what you do with personal data, and why.

Every controller (and most processors) needs one under Article 30. The format is up to you. The content isn't.

Download template
Article 30(4): ICO can request it any time
GDPR · ARTICLE 30
Required by
GDPR Article 30
Owned by
The controller (you)
Updated when
Processing changes
Read by
The ICO, on request
Should always be current
Required content

Eight things every controller's ROPA needs.

Article 30(1). Processors have a shorter list of five fields, included in the template.

Get the template (CSV) Build it live in ROPAi →
Each field maps to a column in the template
Article 30(1) fields
Controller
01Controller details
02Purposes
03Data subjects
04Data categories
05Recipients
06Transfers
07Retention
08Security measures
60-second self-check

How healthy is your current ROPA?

Six yes/no questions, scored against Article 30. Nothing is sent or stored.

1 of 6
Loading…
Be honest. Nothing leaves your browser.
Method

How to build a ROPA in five steps

Works whether you're starting from zero or rebuilding a register that's drifted.

List activities, not systems

Start from what the business does (payroll, support tickets, hiring), not a list of SaaS tools. One activity can span several systems.

Capture the Article 30 fields

Use the template as the column layout. Every column maps to a specific Article 30 requirement.

Flag Chapter V transfers

Mark every activity where data leaves the UK or EEA. Record the safeguard (UK IDTA, EU SCCs, adequacy) and any TIA on file.

Link DPIAs and LIAs

High-risk activities trigger a DPIA. Activities using Art. 6(1)(f) need an LIA. The ROPA is the index; assessment docs hang off it.

Set a review cadence

High-risk every 6 months, lower-risk annually. A new vendor or purpose triggers an out-of-cycle review.

Format choice

Spreadsheet vs. ROPAi

Both meet the legal minimum. They diverge on what happens next.

Capability
Spreadsheet
ROPAi
Meets Article 30 minimum
Yes
Yes
AI activity capture
Manual
Plain-English interview
Surfaces stale entries
You have to remember
Pulse flags drift automatically
Links DPIAs, LIAs and transfers
~Manual cross-reference
One register, one source
Chapter V transfer evidence
Separate document
Data Flow Atlas built in
Survives a vendor change
Only if someone remembers
Change triggers a review prompt
FAQ

Questions DPOs ask before picking a format

Is a ROPA legally required?
Yes, for almost every organisation. Article 30 applies if processing isn't occasional, involves special category data, or could affect data subjects' rights, which covers most modern operations. The under-250-staff exemption rarely applies in practice.
Can I use a spreadsheet?
Yes. Article 30 doesn't require any particular format. Spreadsheets work at the start. They tend to break as the organisation grows: ownership becomes unclear, retention periods go stale, vendor changes get missed. The format isn't the problem. The upkeep is.
How often should I review it?
Per activity, based on risk. High-risk activities every 6 months. Lower-risk annually. A new vendor or new purpose should trigger an out-of-cycle review regardless of cadence.
Does the ICO ask to see ROPAs?
Yes. Under Article 30(4) you must produce it on request. ICO investigations often begin with a request for the ROPA, and an out-of-date record is a flag for further scrutiny.

Start with the template. Move to the live version when it bites.

The spreadsheet gets you compliant. ROPAi keeps you there.

Download template (CSV) Join the waitlist