What does GDPR Article 30 require?

GDPR Article 30 requires every data controller to maintain a written Record of Processing Activities (RoPA). Each entry must document: the name and contact details of the controller, the purposes of processing, categories of data subjects and personal data, recipients of the data, any transfers outside the UK or EU and their safeguards, and retention and security measures.

Are small businesses exempt from Article 30?

Organisations with fewer than 250 employees may be exempt, but only if their processing is occasional, low-risk, and does not involve special category data or criminal records. In practice this exemption rarely applies — processing employee payroll or customer data is not 'occasional'. The ICO has confirmed most SMEs still need a register.

What are the most common Article 30 compliance failures?

The most common failures are: using a generic template rather than documenting actual processing activities; missing or incorrect lawful basis (especially overusing 'legitimate interests'); under-counting processors (most organisations have 20–40 software tools touching personal data); undocumented third-country transfers; and retention periods that do not reflect what actually happens.

How do you build an Article 30 register that passes an ICO audit?

A defensible Article 30 register requires accuracy (entries map to real activities with correct lawful basis), completeness (all significant activities documented, typically 30–60 for most organisations), and currency (updated whenever processes change, with a documented review cadence). Start with a data mapping exercise, interview department heads, audit your IT estate, and version-control the register.

What is the difference between a ROPA and a data map?

A ROPA is the formal legal record listing what data you process, why, and the safeguards — it is the Article 30 compliance document for regulators. A data map is a visual diagram showing how data flows between systems, people, and third parties. They are complementary: the ROPA provides the legal record; the data map makes flows understandable for teams and boards.

GDPR Article 30 Records of Processing — What DPOs Get Wrong

What Article 30 Actually Requires

Article 30 of the UK GDPR and EU GDPR requires every data controller to maintain a written record of their processing activities — the Record of Processing Activities, or RoPA.

This isn't optional. It's not a "best practice." It's a legal requirement, and the ICO can request it at any time.

The regulation specifies six mandatory fields for each processing activity:

The name and contact details of the controller (and their DPO, if applicable)
The purposes of the processing — why you're processing the data
A description of the categories of data subjects — who the data belongs to (employees, customers, prospects...)
A description of the categories of personal data — what type of data (names, financial records, health data...)
The categories of recipients — who you share the data with, including processors
Transfers to third countries — any data leaving the UK or EU, and the safeguard used

If you're a processor rather than a controller, Article 30(2) applies: you must record the categories of processing carried out on behalf of each controller you work for.

That's the minimum. But a register that contains only these six fields will fail an ICO audit.

Who Is Exempt — And Why the Exemption Rarely Applies

Article 30(5) contains a partial exemption for organisations with fewer than 250 employees. If that's you, you might think you're off the hook.

You're probably not.

The exemption evaporates if your processing:

Is not occasional. If you process personal data regularly — employees' payroll, customer CRM, marketing lists — it's not occasional. This catches almost every business.
Is likely to result in a risk to the rights and freedoms of data subjects. Health data, financial data, sensitive personal data, large-scale monitoring — all covered.
Involves special category data under Article 9 (health, biometrics, ethnicity, religion, union membership, etc.) or criminal conviction data under Article 10.

In practice, the vast majority of SMEs process personal data regularly and therefore cannot rely on this exemption. The ICO has been clear: if you have employees, you have a payroll process. Payroll is not occasional. You need a register.

The Real Risk: Why Most RoPAs Fail Audits

The ICO's enforcement actions repeatedly identify the same gaps. After reviewing hundreds of Article 30 registers, here are the most common failures:

1. The register is a template, not a record of your processing

The most common mistake: downloading a template, filling in generic entries, and calling it done. "Marketing — legitimate interests — 3 years" covers nothing. Which marketing activities? What data? Which systems process it? What are the actual retention periods for each data type?

An ICO inspector will ask you to walk through a specific processing activity and trace it to specific systems. If you can't do that, the register fails.

2. Missing lawful basis — or the wrong one

Every processing activity needs a documented lawful basis. "Legitimate interests" is overused and frequently wrong. You cannot rely on legitimate interests for processing that could reasonably be done on a different basis, or where the individual's interests override yours.

Common errors:

Using "consent" as the basis for employee data (employment contracts make consent non-freely-given)
Using "legitimate interests" for AML/KYC checks (this is a legal obligation)
Listing a lawful basis without completing a Legitimate Interests Assessment where required

3. Processors are missing or wrong

Every third-party system that touches personal data on your behalf is a processor and should appear in your register. This includes your CRM, HR system, payroll provider, cloud storage, email platform, and analytics tools.

Organisations consistently undercount their processors. A quick audit of IT spend usually reveals 20–40 software tools — many of which process personal data.

4. Third-country transfers undocumented

If any of your processors or recipients store or process data outside the UK or EU, you need to document the transfer mechanism. Standard Contractual Clauses (SCCs) are most common. Many organisations have US-based SaaS tools — Salesforce, HubSpot, Slack — processing EU/UK personal data, with no transfer mechanism documented.

5. Retention periods are aspirational, not actual

"We keep data for 7 years" is not a retention policy. Which data? What triggers the retention period? What happens at the end — deletion, anonymisation, archiving? Who is responsible?

The register should document retention periods that reflect what actually happens in your organisation, not what you wish would happen.

How to Build a Register That Survives an ICO Investigation

A defensible Article 30 register has three qualities: accuracy, completeness, and currency.

Accuracy means each entry maps to a real processing activity in your organisation, with the correct lawful basis, the actual data categories, and the real systems involved.

Completeness means every significant processing activity has an entry. Start with a data mapping exercise: interview department heads, review IT spend, trace data flows from collection through to deletion. Most organisations have 30–60 distinct processing activities when they do this properly.

Currency means the register is updated when things change. New system? New entry. Data breach? Review the affected entries. Business restructure? Update the responsible parties. A register that was accurate in 2023 is not necessarily compliant in 2026.

Practical steps

Start with your data flows, not a template. Map what data you actually collect, from whom, why, and where it goes — before you open a spreadsheet.
Interview department heads systematically. Finance, HR, IT, sales, marketing, operations — each has distinct processing activities. One person cannot know them all.
Audit your IT estate. Cross-reference your software spend against your processor list. Every SaaS tool that touches personal data needs to be there.
Document transfer mechanisms for every non-UK/EU processor. Check your data processing agreements — do they include SCCs? Are they the current 2021 EU SCCs or the updated UK IDTA?
Set a review cadence. Quarterly is appropriate for most organisations. The register should have a "last reviewed" date on each entry.
Version control it. If the ICO asks for your register as it stood at the time of an incident, you need to be able to produce that. A living Google Sheet with no version history is not sufficient.

The Automation Option

The steps above are achievable — but time-consuming. A thorough data mapping exercise for a 50-person organisation typically takes a DPO 2–4 weeks the first time. Keeping it current is an ongoing overhead.

This is the problem Clarium was built to solve. Paste a plain-English description of any business process — "We collect CV data from candidates through our careers page, store it in Greenhouse, and share shortlisted candidates with hiring managers via email" — and Clarium's AI extracts the data subjects, data categories, systems, legal basis, retention considerations, and flags any transfer issues.

The result is a visual network map of your data flows and a draft Article 30 entry, ready for your DPO to review and sign off.

It doesn't replace the expert judgement of a qualified DPO. But it eliminates the weeks of manual documentation work that precedes that judgement.

Try Clarium free → — no credit card required.

Why GDPR Article 30 Matters More Than You Think