ROPA Requirements for Irish Businesses Under GDPR

Table of Contents

Who should read this?

Irish businesses of all sizes handling personal data, including startups with websites, analytics, customer or employee records, and those acting as data processors like SaaS providers.

Readers will gain a complete guide on ROPA requirements, building and maintaining it, avoiding DPC pitfalls, and leveraging it for broader GDPR compliance and operational efficiency.

Key Takeaways

Most Irish businesses require a ROPA under GDPR Article 30, regardless of size, if processing is not occasional or involves sensitive data.
Controllers document purposes, data subjects, categories, recipients, transfers, retention, security; processors list controllers and processing categories.
Build via data mapping, use simple formats like spreadsheets, assign owners, review regularly to stay current.
Avoid mistakes like vague entries, ignoring vendors, or static documents; ROPA must be standalone.
ROPA supports DPIAs, subject requests, vendor management beyond basic compliance.

Every Irish business that handles personal data has a documentation obligation it cannot afford to ignore. A Record of Processing Activities (ROPA) is the foundational compliance document under GDPR Article 30, and the Data Protection Commission (DPC) can request yours at any time. If your organisation processes customer details, employee records, or website analytics, you almost certainly need one.

This guide explains what a ROPA is, when it is mandatory, what it must contain, and how to build and maintain one that satisfies the DPC.

What is a Record of Processing Activities?

A Record of Processing Activities is a written document that lists every way your organisation collects, uses, stores, shares, and protects personal data. Article 30 of the GDPR requires both data controllers and data processors to maintain their own version of this record.

For controllers, the ROPA captures the purposes of processing, the categories of data subjects, and the safeguards in place. For processors, it focuses on the categories of processing carried out on behalf of each controller. The DPC has described the ROPA as one of the means by which data controllers demonstrate and implement the principle of accountability under Article 5(2) GDPR.

A well-maintained ROPA is not just a compliance checkbox. It gives your organisation a clear map of where personal data flows, who has access, and how long it is kept. That map becomes essential when responding to data subject requests, conducting data protection impact assessments, or managing a breach.

When is ROPA mandatory for Irish businesses?

Article 30(5) provides a narrow exemption for organisations with fewer than 250 employees, but the exemption disappears if your processing is "not occasional", involves special category data, or includes criminal offence data. The European Data Protection Board (EDPB) has confirmed that normal business activities like running a website, keeping employee records, using analytics, or sending marketing emails do not qualify as occasional processing.

In practice, most Irish businesses need a ROPA regardless of size. Recent DPC guidance has reinforced this position. If you collect personal data from customers, employees, or website visitors as part of your regular operations, assume the requirement applies to you.

In practice, this means: Even a five-person startup running a website with analytics cookies and an email list falls outside the small-business exemption. We recommend that you build your ROPA now rather than scrambling when the DPC comes knocking.

What must a controller ROPA include?

A controller's ROPA must contain the following information for each processing activity:

Name and contact details of the controller (and DPO, if appointed)
Purposes of processing
Categories of data subjects (customers, employees, website visitors)
Categories of personal data (names, emails, financial details)
Categories of recipients the data is shared with
Details of international transfers and the safeguards used
Retention periods for each data category
A general description of technical and organisational security measures

Each processing activity should be recorded as a separate entry. The DPC expects the ROPA to be a standalone document that can be produced in readable form within ten days of a request.

For a broader overview of your GDPR obligations as a business, see our GDPR compliance guide for startups.

What must a processor ROPA include?

If your business processes data on behalf of other organisations, you need a processor ROPA. The requirements differ from those of a controller:

Name and contact details of each controller you process for, and of the processor itself
Categories of processing carried out for each controller
Details of international transfers and safeguards
A general description of security measures

Processor ROPAs are often overlooked by Irish businesses that act in dual roles. If you provide SaaS tools, managed services, or outsourced operations that involve handling another company's personal data, you need both a controller ROPA (for your own data) and a processor ROPA (for your clients' data). It is important to make sure your data processing agreements align with what you document in your processor ROPA.

How do you build and maintain your ROPA?

In our experience, you should start with a data mapping exercise. Walk through every department and function in your business and identify where personal data enters, how it is used, where it is stored, and when it is deleted. Common sources of personal data include CRM systems, email platforms, payroll software, website forms, and analytics tools.

Choose a format that works for your team. A spreadsheet is perfectly acceptable for small businesses. We tend to see that larger organisations may prefer dedicated privacy management software. The format does not matter to the DPC, but the document must be complete, accurate, and easy to update.

Assign ownership for each processing activity. Someone in your organisation should be responsible for keeping each entry current. When you launch a new product, change a vendor, or start collecting a new type of data, the ROPA must be updated.

Set a review cadence. At minimum, review your ROPA annually. Better practice is to review quarterly or whenever a significant change occurs. The DPC's enforcement activity has repeatedly found that many organisations treated their ROPA as a one-off exercise and failed to keep it current.

Author's tip: Link your ROPA review to your existing document retention schedule. When retention periods expire and data is deleted, your ROPA should reflect that change. Keeping both documents in sync reduces duplication and audit risk.

Common ROPA mistakes to avoid

DPC audits and enforcement activity have consistently identified several patterns of poor ROPA practice across Irish organisations:

Treating ROPA as a one-off project. Compliance is ongoing. A ROPA that was accurate two years ago is almost certainly incomplete today.
Listing activities too broadly. "We process customer data" tells the DPC nothing useful. Break processing down by specific purpose: order fulfilment, marketing communications, support ticket management.
Listing activities too granularly. Recording every individual data field as a separate activity creates an unmanageable document. We recommend that you group related processing under clear purposes.
Forgetting processor relationships. Every vendor that handles personal data on your behalf should appear in your ROPA. SaaS providers, cloud hosting, payroll services, and marketing platforms all count.
Providing hyperlinks instead of information. The DPC found organisations that submitted ROPAs containing links to other documents rather than the required information. Your ROPA must be self-contained.

Please note: Providing a Data Protection Impact Assessment (DPIA) in place of a ROPA does not meet Article 30 requirements. These are separate obligations with different purposes.

Using ROPA beyond compliance

A well-built ROPA becomes a practical tool that supports several other GDPR obligations. It provides the foundation for data protection impact assessments by identifying high-risk processing activities before they become problems.

When a data subject submits an access request or an erasure request, your ROPA tells you exactly where their data is held and who has received it. That turns a potentially chaotic search into a structured response process.

Your ROPA also streamlines vendor management. When reviewing or renewing contracts with processors, you can cross-reference their processing activities against what your ROPA documents. It is important to be aware that gaps between what a vendor does and what your records show create compliance risk that is straightforward to close once it has been identified.

Need help getting your compliance framework in order?
From ROPA documentation to ongoing GDPR management, Open Forest makes it simple and affordable for Irish businesses. We handle the complexity so you can focus on running your company.
Get started with Open Forest

Your next step

A ROPA is not an optional document, it is a legal requirement for the vast majority of Irish businesses, and the DPC actively checks for it. Start with a data mapping exercise, choose a format your team will actually maintain, and assign clear ownership for keeping it current.

If you already have a ROPA, review it against the controller and processor requirements listed above. If anything is missing or outdated, as of March 2026, the DPC expects organisations to produce their ROPA within ten days of a request. Now is the time to make sure yours is ready.

About the Author:

Connect:

Laura Ryan is a practising Barrister at the Bar of Ireland. She graduated from the Honourable Society of King’s Inns in 2024, having previously qualified and practised as a Chartered Accountant in a big four accounting firm.

Legal

April 2026

ROPA: What Irish Businesses Must Document Under GDPR

Key Takeaways

Annual Leave and Public Holidays in Ireland

Subject Access Requests: How Irish Businesses Must Respond

GDPR Vendor Compliance for Irish Startups

Right to Erasure for Irish Businesses

Cap Table Management for Irish Founders

Subscription Agreements for Irish Founders

Irish Website Privacy Policy Requirements

GDPR Data Retention Policies for Irish Companies

Data Breach Notification Under GDPR

GDPR Consent Requirements: How Irish Companies Must Get It Right

Frequently Asked Questions

What is a Record of Processing Activities?

When is ROPA mandatory for Irish businesses?

What must a controller ROPA include?

How do you build and maintain a ROPA?

What are common ROPA mistakes to avoid?

Explore our other topics

Recovering company assets from a former director in Ireland

Irish IPN Number for non-EEA Residents (VIF Form)

Convertible Loan Notes Explained: How They Work in 2026