Does a small business under 250 employees need a RoPA?

Usually yes. The Article 30(5) exemption only applies if processing is occasional, low-risk, and excludes special-category and criminal data. Normal activities like payroll, employee records and customer management count as "not occasional," so most small businesses still need one.

What information must a RoPA contain?

For controllers: the purposes of processing, categories of data subjects and personal data, recipients, any international transfers, retention periods where possible, and a general description of security measures. Processors record similar details about processing carried out on a controller's behalf.

Is a RoPA the same as a data map?

They overlap. A data map is the broader exercise of identifying where personal data lives and flows; the RoPA is the formal Article 30 record built from that exercise, structured to the specific fields the GDPR requires.

What is Records of Processing Activities (RoPA)?

Records of Processing Activities (RoPA) are the written inventory of an organisation's personal-data processing required by GDPR Article 30, covering purposes, data categories, recipients, retention periods, transfers, and security measures. Controllers and processors maintain them and must make them available to a supervisory authority on request.

A RoPA is the backbone of GDPR accountability: it is the map of what personal data you hold, why, where it goes, and how long you keep it. Article 30 lists slightly different contents for controllers and processors, and the record must be kept current as processing changes.

Many small businesses assume the "fewer than 250 employees" line in Article 30(5) exempts them, but the carve-out is narrow — it falls away if the processing is not occasional, is likely to pose a risk, or involves special-category or criminal-offence data. Because routine activities like payroll and customer management are "not occasional," most organisations still need a RoPA regardless of headcount.

A pre-structured RoPA workbook lets you populate the required fields quickly and present them in the format authorities expect, which is exactly what speeds up an audit or a regulator request. The record itself doesn't protect anyone — it documents processing you must still carry out lawfully and securely.

Frequently asked questions

Does a small business under 250 employees need a RoPA?: Usually yes. The Article 30(5) exemption only applies if processing is occasional, low-risk, and excludes special-category and criminal data. Normal activities like payroll, employee records and customer management count as "not occasional," so most small businesses still need one.
What information must a RoPA contain?: For controllers: the purposes of processing, categories of data subjects and personal data, recipients, any international transfers, retention periods where possible, and a general description of security measures. Processors record similar details about processing carried out on a controller's behalf.
Is a RoPA the same as a data map?: They overlap. A data map is the broader exercise of identifying where personal data lives and flows; the RoPA is the formal Article 30 record built from that exercise, structured to the specific fields the GDPR requires.

Toolkits that cover Records of Processing Activities (RoPA)

EU GDPR

GDPR Compliance Pack for Small Business

14 editable GDPR documents — privacy notices, DSAR procedure, DPIA, breach response, processor DPA checklist — plus a pre-filled Records of Processing Activities (Art. 30) workbook and evidence checklist.

$7930% off with codeView toolkit

Learn more in our GDPR guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary