---
name: gdpr-article-30-register
description: Build a UK GDPR Article 30 Record of Processing Activities (RoPA) for an SMB — one entry per processing activity, covering purposes, categories, recipients, transfers, retention, and security measures in the format the ICO expects.
version: 1.0.0
author: VantagePoint Networks
author_url: https://www.vpnetworks.co.uk
audience: DPOs, Compliance Leads, HR Managers, IT Managers, MSPs helping SMB clients evidence UK GDPR compliance
output_format: Formatted Markdown RoPA with a populated register of processing activities (controller-side), a separate processor-side register if applicable, and maintenance process.
license: MIT
last-reviewed: 2026-04
---

# UK GDPR Article 30 Register (RoPA)

A Claude Code skill for producing the Record of Processing Activities that every UK organisation processing personal data should hold — the first thing the ICO asks for in any engagement, and the one SMBs most commonly lack.

## How to use this skill

1. Download this `SKILL.md` file.
2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows).
3. In Claude Code, run `/gdpr-article-30-register`. Describe your organisation's activities. Answer the clarifying questions. Receive the populated register.

## When to use this

- You have no RoPA and need one (you're exempt from Art. 30 only if under 250 employees AND processing is occasional AND no special-category data AND no risk to rights — almost nobody qualifies for all four).
- Your last RoPA was in a spreadsheet nobody's updated in 2 years.
- A client or regulator has asked to see it and you have 48 hours.
- You're onboarding a DPO or compliance lead and they need the baseline.
- You're preparing for a UK GDPR audit or SAR deluge.

## What you'll get

A single Markdown document containing:

- **Organisation details** (controller info, DPO if applicable)
- **Controller-side register** (processing activities where you're the controller)
- **Processor-side register** (activities where you process on behalf of others)
- Each processing activity captured with all Art. 30 required fields
- **Maintenance process** (who updates, when, how)
- **Cross-reference list** to related documents (privacy notices, DPIAs, DPAs)

## Clarifying questions I will ask you

1. **Legal entity name and ICO registration number?**
2. **Headcount (affects obligations and scope)?**
3. **Primary activities / services?**
4. **Data subjects?** (staff, clients, prospects, supplier contacts, website visitors, children)
5. **Main systems holding personal data?** (HR, CRM, accounting, email, support, marketing, CCTV, building access, time-tracking)
6. **Are you a processor for any client?** (e.g. MSP, agency, payroll provider)
7. **Key third parties / sub-processors?** (M365, Google, Salesforce, Sage, Xero, payroll, Stripe, etc.)
8. **International transfers?** (any US, other non-adequate countries)
9. **Special-category data processed?** (health, union membership, biometrics, children's data)
10. **Do you have a DPO?** (Yes/No — affects register structure)
11. **Existing RoPA to enhance, or fresh?**
12. **Last review date on anything you have?**

## Output template

```markdown
# Record of Processing Activities (RoPA) — <organisation>

**UK GDPR Article 30** · **Version:** 1.0 · **Last reviewed:** <date> · **Next review:** <date + 12 months>
**Maintained by:** <role> · **DPO:** <name / "not required, contact for privacy matters: <role>">

## 1. Controller Information
| Field | Value |
|---|---|
| Legal entity | |
| Trading names | |
| Registered address | |
| ICO registration number | Z<N> |
| Data Protection contact | <role, email> |
| DPO (if applicable) | <name / n/a — reason> |

## 2. Register Structure
Each processing activity has its own entry below. Activities are numbered (RoPA-001…) and grouped by function (HR, Clients, Marketing, Operations, etc.).

---

## Controller-side Register

### RoPA-001 — Staff employment records
| Field | Value |
|---|---|
| **Purpose of processing** | Managing employment relationships: recruitment, onboarding, payroll, performance, leavers. |
| **Categories of data subjects** | Current and former staff, job applicants, contractors. |
| **Categories of personal data** | Contact details, NI number, bank details, employment history, performance records, emergency contacts. |
| **Special-category data** | None / Health (sickness records) / Trade union membership (if any) — explicit record. |
| **Source of data** | Directly from the data subject; referees; HMRC. |
| **Lawful basis (Art. 6)** | Art. 6(1)(b) Contract (employment); Art. 6(1)(c) Legal obligation (tax, employment law); Art. 6(1)(f) Legitimate interests (HR administration). |
| **Special-category basis (Art. 9, if applicable)** | Art. 9(2)(b) Employment obligations; Art. 9(2)(h) Occupational health (with DPA 2018 conditions met). |
| **Recipients** | HR team, line managers (limited), finance (payroll-relevant only), external payroll provider, HMRC, pension provider. |
| **International transfers** | <None / UK-only / specific cases — mechanism>. |
| **Retention** | Employment records: 6 years post-employment (LP&A). Payroll records: 6 years per HMRC. Applications (unsuccessful): 6 months. |
| **Security measures** | Access control via AD groups; encryption at rest (M365 / HR system); encrypted backups; MFA on HR system; least-privilege on payroll export. |
| **Related documents** | Privacy Notice (staff) v<N>; DPA with payroll provider; DPIA-<N> if applicable. |

### RoPA-002 — Client / customer records
| Field | Value |
|---|---|
| **Purpose** | Delivering services to clients; billing; client communications; complaints handling. |
| **Data subjects** | Client contacts (individuals representing corporate clients, and natural-person clients where applicable). |
| **Categories of data** | Contact details, engagement history, communications, financial records. |
| **Special-category** | As encountered — e.g. for legal / medical advice work (see RoPA-003 if separate). |
| **Source** | From the client directly; from authorised representatives. |
| **Lawful basis** | Art. 6(1)(b) Contract; Art. 6(1)(c) Legal obligation (record-keeping, AML where applicable); Art. 6(1)(f) Legitimate interests (post-engagement communications). |
| **Recipients** | Client-facing team; management; external auditors (if audited); sub-processors (CRM vendor, email provider). |
| **International transfers** | <None / UK-only / specific — mechanism>. |
| **Retention** | 7 years post-engagement (professional standard); longer if legal hold. |
| **Security measures** | Role-based access; encrypted storage; DLP policies; audit logging on matter/case access. |
| **Related documents** | Client Privacy Notice; DPA-<vendor>; DPIA if AI tools used. |

### RoPA-003 — Marketing contacts
| Field | Value |
|---|---|
| **Purpose** | Marketing communications to prospective and past clients; event invitations. |
| **Data subjects** | Prospects, past clients, event attendees. |
| **Categories** | Contact details, company, role, engagement history with our content. |
| **Lawful basis** | Art. 6(1)(a) Consent (where no soft-opt-in applies); or Art. 6(1)(f) Legitimate interests with appropriate opt-out (for existing customer soft opt-in per PECR). |
| **Recipients** | Marketing team; email-service provider; CRM. |
| **International transfers** | <specific — e.g. Mailchimp in US under UK-IDTA>. |
| **Retention** | 24 months from last engagement; permanent opt-out preserved. |
| **Security measures** | Consent captured with timestamp; unsubscribe link on every email. |
| **Related documents** | Marketing Privacy Notice; PECR compliance procedure. |

### RoPA-004 — Supplier / third-party contacts
### RoPA-005 — Website visitors (analytics)
### RoPA-006 — CCTV (if applicable)
### RoPA-007 — Building access logs (if applicable)
### RoPA-008 — Recruitment (candidates)
### RoPA-009 — <any additional: e.g. Sensitive client casework, safeguarding records, health data>

(One entry per activity. Expect 8-20 entries for a typical SMB.)

---

## Processor-side Register (if applicable)
Required if you process personal data on behalf of clients (e.g. MSP, payroll provider, agency).

### RoPA-P-001 — <Client name or type — anonymised> — <service>
| Field | Value |
|---|---|
| **Controller** | <Client name> |
| **Categories of data subjects** | <per controller instruction> |
| **Categories of data** | <per controller instruction> |
| **Processing performed** | <specific activities> |
| **Sub-processors engaged** | <list, with countries and DPA refs> |
| **Security measures** | <in place per DPA> |
| **Retention** | <per controller instruction — typically returned/deleted at end of contract> |
| **Transfer mechanism** | <UK-IDTA / other> |

---

## 3. Maintenance Process
- **Owner:** <role> keeps RoPA current.
- **Review cadence:** minimum annual. Additional review on material change (new system, new vendor, new processing, change of retention, new regulator guidance).
- **Change trigger log:** maintained at end of this document; each change dated and summarised.
- **New-processing workflow:** any new processing activity must be assessed for RoPA entry (and DPIA if threshold met) BEFORE go-live. Owner of the project submits via <process>.
- **Annual attestation:** Controller attests the RoPA is current at <date> each year.

## 4. Related Documents Index
| Document | Location | Current version |
|---|---|---|
| Staff Privacy Notice | <URL> | |
| Client Privacy Notice | <URL> | |
| Website Privacy Notice | <URL> | |
| Cookie Policy | <URL> | |
| Data Breach Procedure | <internal> | |
| DPAs with suppliers | <internal — folder ref> | |
| DPIAs | <internal — folder ref> | |
| Retention Schedule | <internal> | |

## 5. Change Log
| Date | Change | Author |
|---|---|---|
| | | |
```

## Example invocation

**User:** "40-person London accountancy firm. Use M365, Xero, our own matter-management system, Zendesk for client support, Mailchimp for newsletters. ICAEW-regulated. Payroll outsourced to Moorepay. Never had a RoPA."

**What the skill will do:**
1. Ask 12 questions, pressing on: client categories (corporate + natural-person clients — both relevant), whether staff health data is processed (yes, sickness absence), whether AML checks record PEP/sanction data (yes — special category).
2. Produce RoPA entries for: Staff records, Client records, AML/KYC records, Marketing, Supplier contacts, Website analytics, Recruitment, Complaints.
3. Include a processor-side register if any client has specifically designated the firm as a processor (e.g. bookkeeping services where the firm acts under client instruction).
4. Flag that the Moorepay arrangement needs a current DPA on file; Mailchimp processing requires UK-IDTA (addendum to SCCs).
5. Include the ICAEW-relevant retention periods (7 years for most client records; AML records 5 years post-relationship-end).

## Notes for the requester

- **Exemption from Art. 30 is narrow.** Most SMBs process personal data regularly enough to need a RoPA. When in doubt, have one.
- **One entry per processing activity, not per system.** A CRM might hold data for three different processing activities (client records, marketing, recruitment) — each gets its own entry.
- **Don't confuse RoPA with privacy notice.** RoPA is internal-facing (for you and the regulator). Privacy notice is external-facing (for data subjects). Kept in sync, but different documents.
- **Retention periods must be defensible.** "Forever in case we need it" is not a retention period. Specific, tied to a legal / business reason.
- **Update before you expand a system, not after.** A new AI tool that now ingests client files changes multiple RoPA entries — update at the DPIA stage, not the year-end.
- **Good looks like:** the ICO can read the RoPA in under 30 minutes and understand everything the firm does with personal data, each entry has defensible retention, and the change log shows living maintenance — not a one-off document.

---
*VantagePoint Networks · <https://www.vpnetworks.co.uk> · Authored by Hak · Free under the MIT licence*