Help Centre

A Record of Processing Activities (ROPA) is a legal requirement under UK GDPR Article 30. It documents every way your organisation processes personal data — what data you collect, why you collect it, who has access, where it is stored, how long you keep it, and who you share it with.

Who must maintain a ROPA?

All organisations that process personal data must maintain a ROPA unless they employ fewer than 250 people AND their processing is only occasional, does not include special category data, and is unlikely to result in a risk to individuals. In practice, almost all UK organisations with any regular data processing should maintain one.

What goes in a ROPA?

• Name and contact details of your organisation (controller) and, if applicable, your DPO.
• The purpose of each processing activity (e.g. payroll, marketing, clinical care).
• The categories of personal data processed (e.g. name, NHS number, health data).
• The categories of data subjects (e.g. employees, patients, website visitors).
• Who you share data with (recipients / joint controllers / processors).
• Whether data is transferred outside the UK/EEA, and if so the safeguard used.
• How long you retain the data (retention schedule).
• A general description of security measures.

How Folelse structures your ROPA

Each entry in Folelse's ROPA represents one processing activity. Entries are linked to your information assets (the systems storing the data), your suppliers (third-party processors), and your services. This linkage means changes in one place automatically update your ROPA.