Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

Worksheet

Data Map / Record of Processing Activities (ROPA)

Four boxes. Five minutes.

A data map is the single most useful document for a customer security questionnaire, an ICO conversation, or your own peace of mind. UK GDPR Article 30 requires most businesses to keep a record of processing activities. Update annually.

How to use this: The bracketed items like [Company Name] are placeholders — replace them with your own details. Edit the wording to suit your business. This is a starter, not legal advice.

Customer data

WhatNames, emails, phones, addresses, orders, payments
WhereM365 SharePoint; Xero; HubSpot; [note any laptop / off-system locations]
Who reads[Sales (5), Finance (2), Directors (3)]
Legal basisContract / Legitimate interest
Retention6 years (HMRC) or earlier on request

Employee data

WhatNames, addresses, NI numbers, bank details, payroll
WhereHR system; payroll provider; M365
Retention6 years after leaver date

Financial data

WhatInvoices, ledgers, payments, reconciliation
WhereXero; bank portals; M365
Retention6 years (HMRC)

Supplier data

WhatContracts, contacts, IBAN / sort codes
Retention7 years after contract end

Tips for adoption

  • Do it on paper first.
  • Walk it past your accountant and HR lead.
  • Update annually.