Folelse

Product

Features Live Demo Pricing Roadmap

NHS & Compliance

DSPT Guidance NHS Data Guide ICO Resources Free DPA Template

Resources

Blog Resource Hub FAQ

Company

About System Status
Support
Log in Get started free
Back to Blog
UK GDPR 5 Nov 2025 11 min read

Building a ROPA That Survives an ICO Audit

The Record of Processing Activities is the backbone of UK GDPR compliance. An ICO investigation will go straight to your ROPA. We share what inspectors look for and how to build a register that withstands scrutiny.

FC

Folelse Team

Folelse

The Record of Processing Activities (ROPA) is one of the most important documents an organisation can maintain for UK GDPR compliance. Under Article 30 of UK GDPR, organisations with 250 or more employees are required to maintain a written ROPA. Even if you are below this threshold, you must maintain a ROPA if you: regularly process special category data, process data related to criminal convictions or offences, or if the processing is likely to result in a risk to individuals' rights and freedoms. In practice, almost every health and social care organisation in the UK should be maintaining one.

What Must a ROPA Contain?

Article 30 specifies what a ROPA must contain for controllers. For each processing activity, you must record:

  • The name and contact details of the controller, any joint controller, and the Data Protection Officer
  • The purposes of the processing
  • A description of the categories of data subjects and categories of personal data
  • The categories of recipients to whom personal data has been or will be disclosed
  • Transfers of personal data to third countries or international organisations, and the transfer safeguards in place
  • Where possible, the envisaged time limits for erasure of different categories of data
  • Where possible, a general description of technical and organisational security measures

What ICO Auditors Actually Look For

Based on published ICO audit reports and enforcement decisions, inspectors assess ROPAs against the following criteria:

Completeness

Does the ROPA cover all processing activities? The most common gap is omission — organisations record obvious processing like HR and payroll but miss CCTV, website analytics, marketing, or processing done by departments that weren't consulted during the ROPA build. Use a data flow mapping exercise, starting with a questionnaire to every department, to identify all processing activities before building the register.

Lawful Basis

Every processing activity must have a documented lawful basis. ICO auditors will look for activities where no basis is recorded, or where the basis is implausible. For NHS organisations, the most commonly applied bases are: legal obligation (Article 6(1)(c)), public task (Article 6(1)(e)), and legitimate interests (Article 6(1)(f)), with explicit consent or substantial public interest conditions under Article 9 for special category data.

Retention Periods

Article 30 requires retention periods to be recorded 'where possible'. The ICO expects this to be possible in virtually all cases. Vague entries such as 'as long as required by law' or 'indefinitely' will be challenged. NHS organisations should reference the NHS Records Management Code of Practice to populate retention periods for health records. Other organisations should have a documented retention schedule.

Accuracy and Currency

A ROPA that was accurate in 2020 but hasn't been reviewed since is a liability. ICO auditors will look for evidence of a review process — ideally an annual review cycle and a process for updating the ROPA when new processing activities are introduced. Every new system, new supplier, or change in processing purpose should trigger a ROPA update.

Common ROPA Mistakes

  • Using a template ROPA that hasn't been adapted to actual processing — generic entries are a red flag to auditors
  • Conflating the controller and processor ROPA — processors must also maintain a ROPA under Article 30(2), covering different fields
  • Not recording international transfers — if you use cloud software hosted outside the UK, this is likely a transfer that must be documented
  • Treating the ROPA as a one-time project rather than a living document
  • Failing to link the ROPA to the privacy notice — what you record in the ROPA must be reflected in what you tell data subjects

Structuring Your ROPA for Usability

A ROPA that only a DPO can navigate is not fit for purpose. Build your ROPA so that department managers can understand their own processing entries, and so that it can be extracted and used to produce privacy notice content, SAR responses, and DPIA scoping.

Consider structuring processing activities by: department (HR, Finance, Clinical, IT), then by purpose (recruitment, payroll, patient care, research), then by system or data set. This makes the ROPA easier to maintain and easier to use when responding to rights requests.

Folelse's ROPA module provides a structured template aligned to Article 30 requirements, with department-level views, retention period libraries, and automatic linkage to your supplier register and privacy notice.

Start free trial

More from the blog

View all
UK GDPR 10 Jan 2026

ICO Enforcement in 2025: What UK Organisations Need to Know

The ICO issued significant fines in 2025, with marketing opt-outs and cyber security failures the leading causes. We analyse the enforcement trends and what your organisation should prioritise.

Read more
UK GDPR 18 Nov 2025

Supplier Due Diligence: Are Your Third-Party DPAs Up to Scratch?

UK GDPR Article 28 requires a written contract with every data processor. Yet many organisations still rely on out-of-date DPAs or haven't reviewed them since 2018. Here's how to audit and remediate your supplier register.

Read more