ROPA software automates the record of processing activities that Art. 30 GDPR requires controllers and processors to maintain — replacing the spreadsheet that goes stale the moment your business changes. A proper tool captures the full Art. 30(1) field model (purposes, categories of data subjects and data, recipients, transfers, retention, security measures), links each activity to its legal basis and processors, and produces the export a supervisory authority asks for first in any audit. The realistic 2026 shortlist for EU organisations: Legiscope, Dastra, OneTrust and TrustArc — differing sharply on price, localisation and how much manual maintenance they leave you. This guide covers what the record must contain and how the tools compare.
The ROPA is not paperwork for its own sake. It is the first document every DPA requests when an inspection or complaint lands, and an incomplete one is itself evidence of an Art. 30 breach.
Key Takeaways
- Art. 30 GDPR requires a structured record of every processing activity — the field model is prescriptive, not free-form.
- Spreadsheet ROPAs rot: no version control, no multi-entity view, and processor chains that change faster than anyone updates the file.
- A tool must capture the full Art. 30(1) field set and keep it linked to legal bases, processors and retention rules.
- Budget EUR 1,500-15,000/year for SME-to-mid-market ROPA tooling; enterprise suites run far higher and are over-scoped below ~300 staff.
Why Spreadsheet ROPAs Rot
Almost every organisation starts its ROPA in Excel. It works for exactly as long as the business stands still — which is never.
- No version control. Who changed the retention period on the HR activity, and when? A spreadsheet cannot tell you, which is fatal for accountability under Art. 5(2) GDPR.
- Processor chains drift. Every new SaaS tool adds a processor and often a sub-processor. Manually reconciling the spreadsheet against reality is the task everyone skips.
- Multi-entity chaos. Two entities become five; each keeps its own file with its own columns. Producing a group-level view for an auditor becomes a week of copy-paste.
- Cross-references break. A ROPA should link each activity to its legal basis, its DPIA (if any) and its transfer mechanism. Spreadsheets store these as loose text that no one keeps in sync.
The real cost of maintaining a manual record is quantified in our analysis of manual ROPA creation cost — it is consistently higher than the software that replaces it.
The Article 30 Field Model a Tool Must Capture
Art. 30(1) GDPR sets out exactly what a controller’s record must contain. Any tool that omits a field leaves a gap an auditor will find:
- Name and contact details of the controller, joint controllers, representative and DPO;
- Purposes of the processing;
- Categories of data subjects and of personal data;
- Categories of recipients, including those in third countries;
- Transfers to third countries and the safeguards used;
- Retention periods (envisaged time limits for erasure);
- A general description of the technical and organisational security measures (Art. 32 GDPR).
Processors keep a narrower record under Art. 30(2). The EDPB has addressed the narrow Art. 30(5) derogation for organisations under 250 employees — which, because it falls away for regular processing or special-category data, exempts almost no active business. Our Art. 30 ROPA data fields template breaks down each field, and the full workflow sits in our GDPR ROPA complete guide.
ROPA Software Compared
| Tool | Strengths | Watch-outs | Pricing |
|---|---|---|---|
| Legiscope | EU-hosted, lawyer-built templates, links activities to legal bases and processors automatically | Not a consent-banner tool | SME tiers; on request |
| Dastra | Clean UX, strong ROPA module, low entry price | French-first templates; verify local specifics | From ~EUR 79/month |
| OneTrust | Deepest data-mapping, auto-discovery, connectors | Enterprise cost and months of setup | EUR 30,000-100,000+/yr |
| TrustArc | Mature assessments and mapping | US-centric, limited EU localisation | Enterprise, on request |
For a category-wide view, see our record of processing activities guide and the ranked best GDPR compliance software comparison. If you only need the document itself to start, our ROPA template is the fastest on-ramp before you automate.
What ROPA Software Costs in 2026
| Company profile | Annual budget | What you get |
|---|---|---|
| SME 10-50 | EUR 1,500-6,000 | EU platform, guided ROPA, DSAR |
| SME 50-300 | EUR 5,000-15,000 | Multi-entity ROPA, processor management |
| 300+ / enterprise | EUR 25,000-100,000+ | Auto-discovery, connectors, OneTrust/TrustArc territory |
The spreadsheet is not free: it is priced in the hours your DPO or ops lead spends reconciling it, plus the risk premium of handing an auditor an out-of-date record. Automation converts a recurring manual burden into a maintained, exportable asset.
Two hidden costs decide the real total. The first is onboarding: some vendors charge implementation fees or bill consulting days to configure templates — ask before signing. The second is per-seat licensing for read-only legal or audit users, which can double a quoted price at a mid-market company. A transparent SME tool avoids both; enterprise suites rarely do. When you compare quotes, normalise them to cost per maintained activity per year, not headline licence price — that is the number that reflects what you actually pay to keep the record defensible.
Buyer Mistakes That Waste the ROPA Budget
Three mistakes recur when companies buy ROPA tooling. The first is buying auto-discovery before understanding your own processing — an enterprise engine that crawls your systems produces a list of data stores, not a lawful record; someone still has to attach purposes, legal bases and retention to each activity, and that judgement work is the actual job. The second is treating the ROPA as a one-time build. A record created in a launch sprint and never touched is out of date within a quarter, and an auditor reading a register last edited eighteen months ago sees an accountability failure, not a document. The third is letting the field model degrade into free text — a “recipients” column filled with vague phrases like “various partners” satisfies no one, whereas Art. 30(1) expects categories precise enough to act on. Buy the tool that enforces the field model and keeps the record living, not the one with the flashiest discovery demo.
From Template to Tool: The Right Sequence
The mistake is buying enterprise auto-discovery before you understand your own processing. The pragmatic path:
- Draft the record from a structured template so you learn your activities.
- Automate once maintenance — not creation — is the bottleneck, moving into a platform that keeps the record current as processors and purposes change.
- Scale to auto-discovery and connectors only when entity count and data volume justify the enterprise price.
Most 10-300 employee companies live comfortably at step 2. Auto-discovery is a feature that sells enterprise demos and rarely changes an SME’s actual risk.
One sequencing rule saves real money: migrate your existing spreadsheet into the tool rather than rebuilding from scratch. A good platform imports a structured register, so the months of work already sitting in your Excel file become the starting point, not wasted effort. Ask the vendor to run that import during the trial, on your real file — if it chokes on your columns, the “days to value” claim was written for their template, not your data. The goal at step 2 is a record that stays current with less effort than the spreadsheet demanded; the migration is where that saving either materialises or quietly disappears, so treat it as a selection criterion, not an afterthought.
FAQ
What is ROPA software?
ROPA software automates the record of processing activities required by Art. 30 GDPR. It captures the prescribed field model, links each activity to its legal basis, processors and retention rules, keeps a version history for accountability, and exports the record in the format a supervisory authority requests during an audit.
Is a spreadsheet ROPA GDPR-compliant?
A spreadsheet can technically satisfy Art. 30 on day one, but it fails in practice: no version control, no reliable processor tracking, and no multi-entity view. Since the record must be kept accurate and produced on request, most organisations find a maintained tool is the only way to stay compliant as the business changes.
Does my company need a ROPA?
Almost certainly. The Art. 30(5) exemption for organisations under 250 employees does not apply where processing is regular, involves special-category data, or is likely to result in risk — which covers essentially any active business running HR, marketing or a data product. Assume you must maintain a record.
How much does ROPA software cost?
Roughly EUR 1,500-6,000/year for a 10-50 person company and EUR 5,000-15,000 for 50-300, using an EU platform. Enterprise suites with auto-discovery run EUR 25,000-100,000+ and are generally over-scoped below 300 employees.
Conclusion
The ROPA is the document an auditor asks for first, so it is the worst place to rely on a spreadsheet that no one has updated since the last reorganisation. ROPA software earns its price by keeping the Art. 30 field model complete and current as your purposes, processors and entities change — and by producing a clean export on demand. Draft from a template to learn your processing, then automate when maintenance becomes the bottleneck. For EU companies wanting lawyer-grade templates and automatic linking of activities to legal bases, Legiscope is a strong fit; Dastra is a capable low-cost entry; reserve OneTrust and TrustArc for genuine enterprise scale.
See Legiscope in action
AI-powered GDPR compliance that saves 340+ hours/year. Trusted by compliance professionals across Europe.
Request a demo



