Logo

Assuric

Sign inBook a demo

How to create a Record of Processing Activities (ROPA)

Learn how to create and maintain a Record of Processing Activities (ROPA) to meet GDPR and NHS DSPT compliance. Includes practical steps, lawful basis guidance, and a free ROPA template for digital health companies.

Assuric

Assuric

How to create a Record of Processing Activities (ROPA)

Understanding the Record of Processing Activities (ROPA)

Companies today receive information from countless sources, whilst also sharing this information with others. This process of collecting, storing, and sharing personal data is known as data processing. Every instance of this “processing” must be documented and recorded.

This is where a Record of Processing Activities (ROPA) comes in. It’s a critical document mandated by Article 30 of the GDPR and the NHS DSPT, serving as a blueprint for your data handling practices.

NHS DSPT Evidence item 1.1.2 Does your organisation have an up to date list of the ways in which it holds and shares different types of personal and sensitive information?

By recording every data processing activity, you gain a deeper understanding of your data flows, reinforce organisational accountability, and demonstrate your commitment to robust data security.

This guide (2/3 in our series on Documenting Your Data Processing Activities) assumes you’ve already created your Information Asset Register (IAR) - providing a detailed inventory of your digital health company’s data assets.

Why a ROPA Matters for Your Organisation

A well-maintained ROPA provides clarity and control over your data environment. Here’s why it’s so critical:

1. Compliance with GDPR and NHS DSPT

For many companies, documenting your processing activities is a legal requirement under Article 30 of the GDPR, and must be made available to the supervisory authority (ICO) on request. For this reason a ROPA is sometimes referred to as an “Article 30 register”.

2. Transparency

Your ROPA offers a comprehensive snapshot of how data moves through your organisation, enabling transparency for both individuals, regulators and the GDPR supervisory authority, including the Information Commissioner's Office (ICO).

3. Risk Management

By tracking data flows and processing activities, you can identify and mitigate potential data protection risks before they escalate.

How to Create Your ROPA

Learn the essential steps to document your data processing activities and build a compliant, well-structured ROPA.

Step 1: Choose a ROPA Template

Start with a structured template.

  • Assuric provides a free ROPA template, tailored for digital health companies, including NHS National Opt-Out compliance, talk to us to receive a copy of this template.
  • Alternatively, you can use the ICO's template as a reference.

Step 2: Identify Your Data Items

Determine what data should be included in your ROPA. Document all data that is transferred, either electronically or physically.

Examples of data items for digital health companies:

  • Staff data (employment records, DBS checks)
  • Patient health records
  • Treatment plans and appointment schedules
  • Consent forms
  • Financial and insurance data
Note for SMEs:
If you have fewer than 250 employees, you only need to document processing that is : 1) Not occasional, or 2) Likely to pose risks to individuals’ rights, or 3) Involves special category or criminal data.

Larger organisations must record all processing activities, regardless of frequency.

Step 3: Define Your Role - Controller or Processor?

Determine your organisation’s role for each data type.

The ICO provides detailed guidance on determining if you are a controller or a processor. You may act as a controller for some data (e.g., employee records) and a processor for others (e.g., patient health data handled on behalf of an NHS Trust).

If you process data on behalf of another organisation, ensure you have a Data Processing Agreement (DPA) in place outlining your responsibilities.

Step 4: Determine the Lawful Basis for Processing

Under Article 6 of the GDPR, every processing activity must have a lawful basis. The six bases are:

  1. Consent: The individual has given explicit consent.
  2. Contract: Processing is required for a contract.
  3. Legal Obligation: Required to comply with the law.
  4. Vital Interests: Protects someone’s life.
  5. Public Task: Necessary for the public interest or an official function.
  6. Legitimate Interests: Necessary for legitimate purposes, unless overridden by individual rights.

Some personal data (e.g., health information), you must meet both Article 6 and Article 9 conditions - such as explicit consent, legal claims, or health care purposes.

A note on consent: whilst consent is a lawful basis under the GDPR, the regulations have strict rules on consent which can be hard to achieve. The ICO and NHS provides specific guidance on consent, and how to ensure individuals are giving consent in a clear and specific way.

Step 5: Record Essential Information

Each processing activity in your ROPA should include the following details:

  • Data item description and business purpose
  • Categories of data subjects and recipients
  • Links to contracts and processors
  • Security measures and retention schedules
  • Article 6 & 9 lawful bases
  • Data Protection Impact Assessment (DPIA) status
  • Details of data breaches or consent records

This level of detail helps demonstrate compliance and supports data subject rights.

Step 6: Fill Out and Maintain Your Template

Populate your chosen ROPA template with all identified data items. Include your organisation's contact information and your Data Protection Officer (DPO) details if applicable.

Step 7: Review and Approve Your ROPA

Once completed, your ROPA should be reviewed by:

  • Senior management
  • Data protection representatives
  • External advisors (if needed)

Keep your ROPA up to date - especially after any process changes or security incidents.


Getting Started on Your RoPA with Assuric

Assuric simplifies compliance management for digital health organisations by offering:

  • A custom ROPA template built for NHS and GDPR requirements
  • Tools to keep your ROPA current
  • Expert review and support to ensure all criteria are met
  • Guidance on GDPR, NHS DSPT, and DTAC alignment

Learn more or request your ROPA template here ⤵

Talk to us

Up Next: Build Your Privacy Notice

You’ve mapped your assets (IAR) and documented your processing (ROPA). One of the most crucial aspects of GDPR is transparency. This brings us onto the final step: Creating a privacy notice ->

Privacy notices - GDPR guide for digital health companies

Privacy notices - GDPR guide for digital health companies

Step-by-step guide to creating a Privacy Notice for GDPR and the NHS Digital Security Protection Toolkit (DSPT)​​​​‌‍​‍​‍‌‍‌​‍‌‍‍‌‌‍‌‌‍‍‌‌‍‍​‍​‍​‍‍​‍​‍‌​‌‍​‌‌‍‍‌‍‍‌‌‌​‌‍‌​‍‍‌‍‍‌‌‍​‍​‍​‍​​‍​‍‌‍‍​‌​‍‌‍‌‌‌‍‌‍​‍​‍​‍‍​‍​‍​‍‌​‌‌​‌‌‌‌‍‌​‌‍‍‌‌‍​‍‌‍‍‌‌‍‍‌‌​‌‍‌‌‌‍‍‌‌​​‍‌‍‌‌‌‍‌​‌‍‍‌‌‌​​‍‌‍‌‌‍‌‍‌​‌‍‌‌​‌‌​​‌​‍‌‍‌‌‌​‌‍‌‌‌‍‍‌‌​‌‍​‌‌‌​‌‍‍‌‌‍‌‍‍​‍‌‍‍‌‌‍‌​​‌‌‍‌‍​​‌​‍​​​​​‌‍‌‍‌​‌‍​‌​‌​‍‌​​​‍​‌‍​‍‌‍​‌​‍‌​‌​‌‍‌​​‌​​‌‌​‍‌​‍‌​‌‌​​‌​‌​​‍‌​‌‍​​‍​‌‍‌‍‌‌‌‍​‌‌‍​‌‌‍‌‍‌‍​‍​‌‌‌‍‌​​​‍​​​​‍‌‌​‌‍‌‌​​‌‍‌‌​‌‌​​‌‍‌​‌‌​​‍‌​​‌‍​‌‌‌​‌‍‍​​‌‌‍‌​‌‍‌‌‌​‌‍​‌​‍‌‍‍‌‌​​‌‌​‌‍‍‌‌‍‌‍‍​‌‍​‍‌‍​‌‌​‌‍‌‌‌‌‌‌‌​‍‌‍​​‌​‍‌‌​​‍‌​‌‍‌​‌‌​‌‌‌‌‍‌​‌‍‍‌‌‍​‍‌‍‌‍‍‌‌‍‌​​‌‌‍‌‍​​‌​‍​​​​​‌‍‌‍‌​‌‍​‌​‌​‍‌​​​‍​‌‍​‍‌‍​‌​‍‌​‌​‌‍‌​​‌​​‌‌​‍‌​‍‌​‌‌​​‌​‌​​‍‌​‌‍​​‍​‌‍‌‍‌‌‌‍​‌‌‍​‌‌‍‌‍‌‍​‍​‌‌‌‍‌​​​‍​​​​‍‌‍‌‌​‌‍‌‌​​‌‍‌‌​‌‌​​‌‍‌​‌‌​​‍‌‍‌​​‌‍​‌‌‌​‌‍‍​​‌‌‍‌​‌‍‌‌‌​‌‍​‌​‍‌‍‍‌‌​​‌‌​‌‍‍‌‌‍‌‍‍​‍‌‍‌​​‌‍‌‌‌​‍‌​‌​​‌‍‌‌‌‍​‌‌​‌‍‍‌‌‌‍‌‍‌‌​‌‌​​‌‌‌‌‍​‍‌‍​‌‍‍‌‌​‌‍‍​‌‍‌‌‌‍‌​​‍​‍‌‌

See all posts

Make your life easier
and talk to us to simplify compliance

Goodbye manual processes, hello automation. Let Assuric manage compliance and security, so you can focus on growth.

Talk to us
CTA Image