← All posts

GDPR Article 30: How to Build a Record of Processing Activities

Article 30 of GDPR requires every organisation acting as a data controller to maintain a Record of Processing Activities — a documented inventory of the personal data you process, why you process it, who you share it with, and how long you retain it.

It has been a legal requirement since 25 May 2018. Most Irish SMEs still do not have one.

This guide explains who needs a ROPA, what it must contain, the narrow exemption that applies, and how to build yours in a structured way.

Who Needs a ROPA?

The default position is that all organisations acting as data controllers or processors must maintain a ROPA. There is a limited exemption for organisations with fewer than 250 employees — but only where processing:

  • Does not pose a risk to the rights and freedoms of individuals
  • Is not carried out on a regular basis
  • Does not involve special category data (health, biometric, religious beliefs) or criminal conviction data

In practice, this exemption covers very few businesses. Any organisation that processes employee personal data, customer records, or marketing contact information on a regular basis falls outside it. If you are unsure whether the exemption applies, assume it does not.

What Must a ROPA Contain?

Article 30(1) specifies the minimum required content. For each processing activity, you must document:

1. Controller and DPO contact details Your organisation's full name, registered address, and the contact details of your Data Protection Officer if one has been appointed.

2. Purposes of the processing Why you are processing this data. Each distinct purpose requires a separate entry — payroll, customer communications, and website analytics are different purposes and should not be grouped.

3. Categories of data subjects and personal data Who the data belongs to (employees, customers, job applicants, website visitors) and what types of data are involved (names, email addresses, financial information, health data).

4. Categories of recipients Every third party that receives the data — cloud services, payroll bureaus, CRM platforms, analytics tools, marketing agencies. Include any transfers outside the EEA.

5. Third country transfers Where data leaves the EEA, document the destination and the transfer mechanism being relied on — Standard Contractual Clauses, adequacy decision, or other appropriate safeguards.

6. Retention periods How long each category of data is held before deletion or anonymisation. Where legal retention requirements exist (employment records, tax records), document the legal basis for the retention period.

7. Technical and organisational security measures A description of the security controls protecting this data — encryption standards, access controls, pseudonymisation, staff training, physical security where relevant.

Building Your ROPA: Step by Step

Step 1 — Data mapping Before you can document what you process, you need to know what you hold. Go department by department — HR, finance, sales, operations, IT — and identify every system, spreadsheet, and cloud service containing personal data.

Step 2 — Document purposes and lawful bases For each processing activity, record why it occurs and the Article 6 lawful basis you rely on: contract performance, legal obligation, legitimate interests, or consent. For special category data, also identify the Article 9 condition.

Step 3 — Map recipients and transfers List every third party that receives data from each processing activity. If any transfers occur outside the EEA, document the mechanism and destination.

Step 4 — Set retention periods Establish how long each category of data is held. Where no specific legal retention period applies, document the legitimate business reason for the period chosen.

Step 5 — Record security measures Note the controls protecting each activity. These do not need to be exhaustive — sufficient detail to demonstrate proportionality to the risk involved.

Step 6 — Keep it current A ROPA is a living document. Update it when processing activities change, new systems are introduced, or new suppliers are engaged. Build a formal review into your annual data protection programme.

Why the ROPA Matters Beyond the Audit

A complete ROPA is the foundation of your broader GDPR compliance. It tells you which processing activities require a DPIA, scopes the impact of any data breach, supports responses to Data Subject Access Requests, and demonstrates proactive compliance to the DPC if you come under scrutiny.

The DPC can request your ROPA at any time without notice. The absence of one — or a materially incomplete one — is a direct breach of Article 30 with meaningful enforcement risk.

How ShieldIQ Supports Article 30 Compliance

ShieldIQ includes a built-in ROPA module that guides you through each required field and produces a regulator-ready CSV export. Processing activities are linked to your GDPR compliance posture, and any high-risk activities are automatically flagged for DPIA assessment.

Run a free GDPR assessment to see your current data protection posture →