GDPR Compliance: Implementing a Formal Register of Processing Activities (Art. 30)
GDPR Compliance: Implementing a Formal Register of Processing Activities (Art. 30)
Release: v0.1.153 · Control: GDPR-09 · Framework: GDPR
Overview
As part of our ongoing GDPR compliance programme, release v0.1.153 identifies a gap between the existing /lawful-basis page and the formal requirements of Article 30 of the UK/EU GDPR. This post explains what Art. 30 requires, what is currently in place, and what needs to be implemented.
What Is a ROPA?
A Register of Processing Activities (ROPA) is a mandatory internal record required by Article 30 of the GDPR for most organisations that process personal data. It is a core accountability tool and must be made available to supervisory authorities (e.g. the ICO) on request.
Current State
The /lawful-basis page (src/app/lawful-basis/page.tsx) provides a useful overview of the lawful bases relied upon for processing. However, it does not constitute a formal Art. 30 ROPA because it is missing several required fields.
What a Compliant ROPA Must Include
Under Article 30 GDPR, the controller's record of processing activities must contain, at minimum:
| Field | Description |
|---|---|
| Controller details | Name and contact details of the controller (and, where applicable, joint controllers) |
| DPO contact | Name and contact details of the Data Protection Officer |
| Purposes of processing | The specific purpose(s) for which personal data are processed |
| Categories of data subjects | e.g. customers, employees, prospects |
| Categories of personal data | e.g. name, email address, financial data |
| Categories of recipients | Third parties or categories of third parties to whom data are disclosed |
| International transfers | Details of transfers to third countries and the safeguards in place |
| Retention periods | How long each category of data is retained, or the criteria used to determine retention |
| Security measures | A general description of the technical and organisational security measures (Art. 32) |
Required Action
A formal ROPA must be created. The recommended approach is to publish it as:
- A static page at
/ropa, and/or - A downloadable PDF linked from the privacy policy
Controller Information
Controller: Calmony Ltd
DPO Contact: [to be confirmed]
Processing Activities & Recipients
The ROPA must cover all processing activities and name the following recipient categories (sub-processors and third-party services):
| Service | Role | Data Category |
|---|---|---|
| Neon | Database / data storage | All personal data stored by the platform |
| Stripe | Payment processing | Financial and billing data |
| Twilio | Communications (SMS/voice) | Contact data, communication content |
| Resend | Transactional email | Email address, communication content |
Each processing activity entry should also specify:
- The lawful basis relied upon (already documented at
/lawful-basis) - The applicable retention period
- A reference to the security measures in place
Why This Matters
Maintaining an accurate, complete ROPA is a core accountability obligation under GDPR (Art. 5(2) and Art. 30). Failure to maintain one is directly actionable by supervisory authorities such as the ICO. As a sanctions screening platform handling personal data of individuals under investigation, the completeness of processing records is particularly important for demonstrating compliance.
Next Steps
- Draft the full ROPA document covering all processing activities.
- Publish at
/ropaas a static page. - Link the ROPA from the existing privacy policy page.
- Review and update the ROPA at least annually, or whenever processing activities change.
For questions about this compliance requirement, contact the DPO or refer to the ICO's ROPA guidance.