Record of Processing Activities

The Record of Processing Activities (ROPA) is requirement of most organisations as defined in article 30 of the GDPR.  Even if not required by law the ROPA forms the baseline for data protection compliance as it allows an organisation to evidence where personal data is used and identifies data usage risk.

By establishing a small network of data champions your organisation you can determine where data is processed.  This allows your Data Protection Officer (DPO or equivalent) to obtain a holistic view and provides the ability to demonstrate compliance.

Activity Workflow

The ROPA can be updated through our Activity Workflow, allowing your Data Champions to update in a natural way, through workshops, one to ones or lone assessments.  Dynamic screen building, natural language and help text assists as they progress.

Assisted Assessments

As information is added to the ROPA risks are identified and added to your risk log.  ProvePrivacy provides user feedback throughout.  Our assisted assessments inform action plans and provide guidance on whether an activity should be referred to the DPO.

Compliance Hotpots

Identify where your risks are at a glance, identify which department, supplier or activity requires further remediation and receive recommendations for next steps.

Supplier Management

The data sharing assessment allows allows you to understand where personal data is shared with your suppliers.  It enables you assess the compliance of your contracts, demonstrate that your data remains secure and even store supplier documentation alongside the supplier assessment.

Data Retention

The Data Management assessment allows you to identify where data is stored in your organisation both whilst it is ‘in use’ and ‘in retention’ and informs your data retention periods and rationale.

High Risk & DPIA

It is one thing having a Data Protection Impact Assessment (DPIA) template, but when do you need to complete it.  Our high risk assessment uses the information that you have entered about an activity to highlight when a DPIA is needed and it then walks you through the process of assessing the risk.

Data Breach Management

The data breach management module allows any ProvePrivacy user to raise an incident relating to a suspected data breach.  Once raised ProvePrivacy will notify the DPO of the breach and allow them to establish an investigation team. 

ProvePrivacy guides the team through the circumstances and the consequences of the incident which allows the team to build the supervisor breach report.  All incidents are logged so that your organisation can demonstrate both reported breaches and near misses.

Breach Management

The incident reporting process is simple meaning there are fewer obstacles to logging an incident meaning you learn of them faster.  Once an incident is logged your lead investigator can manage the breach step by step, including reporting to the supervisory authority or other interested parties.

Report Generation

If a breach is reportable, ProvePrivacy will generate the supervisor breach report to allow you to email it on to the relevant regulatory authority.  This means that that there is no re-entering information already collected by ProvePrivacy.

Data Subject Rights Management

The data subject rights management module allows any ProvePrivacy user to raise an incident relating to a data subjects request.  The module will allow a data subject access request (DSAR), right to be forgotten, and all other data subjects rights to be raised.

By building into ProvePrivacy each of the UK exemptions, your investigators can easily identify if they can be applied to a specific incident, potentially reducing the effort required.

Data Subjects Rights

The Data Subject Rights module allows you to manage requests from data subjects such as a data subject access request (DSAR) or the ‘right to be forgotten’.  As well as managing the process ProvePrivacy maintains a log of requests so that you can demonstrate compliance.


There are a large number of complex exemptions available when dealing with data subjects rights, and not all can be applied to all requests.  ProvePrivacy only allows the relevant exemptions to be selected and recorded meaning your investigation teams can focus on responding to relevant parts of the request.

Risk Management

One clear advantage of ProvePrivacy is the ability to manage risks identified in different areas of the business.  Data breaches, data subjects rights requests, the ROPA etc all enable risks to be identified and logged.

The risk module is the central place for all risks it allows for risks to be assessed, graded and action plans put in place.  

Risk Management

ProvePrivacy naturally identifies risks and allows you to manage them through our Risk Management module as it learns more about your organisation.  You can add your own risks as you identify them providing a single place to monitor your data protection risks.

Action Planning

Each risk can hold its own mitigation plan which includes any number of actions.  Action planning allows you to allocate individual actions to staff and monitor their completion, providing a single viewpoint of progress.

Information Request Management

The Information Request module allows for a request for information to be recorded.  Typically this would be a request for none personal information such as a Freedom of Information Request, Environment Information Regulations request or a request from other bodies.

ProvePrivacy informs the appropriate teams that a request has been raised and notifies them of the progress of the request and when further actions are required.

Incident Reporting

The incident reporting process is simple meaning there are fewer obstacles to logging an incident meaning you learn of them faster.  Once an incident is logged your lead investigator can manage the breach step by step.  Information is collected throughout the process allowing for management information to be produced at a later date.

Risk Identification

Like all of the ProvePrivacy modules, there is the ability to add associated risks to an incident.  This allows the incident and the associated risk to be managed separately.

Information Asset Register

Coming Soon 

The Information Asset Register will be inked to the ROPA to show all of the assets which are used as part of your processing activities and it will allow you to understand the risks associated with each asset, whist it is in use and whilst the data is in retention.

Once an asset has been added further detail can be added to ensure business continuity details are managed.

Data Retention

A data retention schedule is included to allow your data champions to select the document type so that ProvePrivacy can set the schedule according to standard schedules.

Business Continuity

The Infornmation Asset Register allows for all assets to be understood and if deemed critical, the business continuity characteristics can be recorded to help you define your approach.

Policy Management

Our policy module allows each document owner to add policy, procedure or standard forms to ProvePrivacy.  Any policy can be added for any department (you are not restricted to data protection) and once added will be assigned to the appropriate staff to be read. 

ProvePrivacy maintains a record of who has read and understood each document and the document owner is reminded annually to review policy and to re-issue.  This demonstrates that colleagues understand policy at regular intervals.

Policy Management

Policy Management enables the management of all company policies (not just data protection).  It provides evidence that all of the required staff have ‘read and understood’ the policies on an annual basis.  In addition it ensures the document owners regularly review and update policies to keep them current.

Policy Review Reminders

A document owner is asked to provide a document review date when putting each document live, ProvePrivacy uses this date to issue a reminder to the document owner to ensure that all policies are regularly reviewed and remain in line with regulation changes.  Once reviewed all appropriate colleagues will need to re-read the revised policy ensuring that all colleagues remain up to date.

Technical & Organisational Measures

Being able to evidence how an organisation is ensuring data protection through technical and organisational measures is a key element of meeting the requirements of article 30. 

ProvePrivacy uses international standards as the basis to evidence that controls are in place and are evidenced.

ISO 27001

Set your objectives for data management against the objectives and controls set out in the ISO 27001 standard.  Use ProvePrivacy to determine which controls are in scope and make effective plans to put these controls in place.  Once the controls are effective upload evidence to show that your organisation meets the controls.  

ISO 27701

ProvePrivacy allows you to set your objectives and controls against the ISO 27701, this is an extension to 27001 which focuses primarily of privacy information management.  Most of the controls contained in this standard are met by ProvePrivacy therefore meeting the standard is made simpler..


The knowledgezone is the e-learning module provided within ProvePrivacy.  Training includes the Data Protection and Security Awareness course as well as tutorials on how to use ProvePrivacy and the importance of breach reporting etc.  

Tutorial Videos

Tutorial videos are available to all colleagues and provide short introductions to different topics from system usage to more detail on data protection topics which help them in performing their duties.

Staff Awareness

The Online Training module enables you to demonstrate that staff have completed the data protection & security awareness training, providing staff with CPD for their development records. 

Additional Courses

We are always adding additional courses provided by our sister company knowledgezone.  Other courses are available at an additional cost, such as Health & Safety in the Office and Modern Slavery Awareness.

Custom Courses

If you have video course material of your own these can be added to ProvePrivacy.  This will enable you to use the evidencing reporting in ProvePrivacy to evidence that your own courses have been completed by colleagues.

Reporting & Support

Reporting provides you with the ability to demonstrate compliance with reports highlighting which colleagues have undertaken training, understand policy etc.

If you need more support, we can provide this directly or through our network of partners.


Reporting covers risk management, action planning, staff awareness, policy completion, breach reporting and data subject rights.  Plus, if there are any additional reports you require we will develop them for you and add them…just add a Feature Request.

Advice & Support

ProvePrivacy is supported by our partner network of data protection professionals, cyber security experts and consultant DPOs.  If you are struggling to determine the best course of action, a simple help request and we can provide the advice and support you need.