Policy Pros

Written by Joanne Hughes, Policy & Compliance Specialist at Policy Pros

Last reviewed:

Creating an IAR (Information Asset Register) GDPR

An Information Asset Register (IAR) is a structured inventory that lists and describes an organisation's information assets. These assets can range from physical documents to digital files, databases, and cloud-hosted systems. The primary objective of an IAR is to give organisations a clear view of what information they hold, where it is stored, who is responsible for it, and who has access to it.

For UK organisations, maintaining an IAR is not simply good practice — it is a practical necessity for complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Specifically, Article 30 of the UK GDPR places a legal obligation on controllers and processors to maintain records of their processing activities, commonly known as a Record of Processing Activities (ROPA). An IAR and a ROPA are closely related documents, and understanding the distinction between them is the first step towards compliance.

IAR vs ROPA: Understanding the Difference

Although the terms Information Asset Register and Record of Processing Activities are sometimes used interchangeably, they serve different — though overlapping — purposes.

An IAR is a broader organisational tool that catalogues all information assets, including those that do not contain personal data. It captures details about asset ownership, storage locations, security classifications, retention periods, and business continuity requirements. An IAR supports information governance, risk management, and operational efficiency across the entire organisation.

A ROPA, by contrast, is a specific legal requirement under Article 30 of the UK GDPR. It focuses exclusively on the processing of personal data. The ROPA must document the purposes of processing, the categories of data subjects and personal data, recipients, international transfers, retention periods, and a general description of technical and organisational security measures.

In practice, many organisations build their IAR to incorporate all the fields required by Article 30, effectively combining the IAR and ROPA into a single comprehensive document. This approach is efficient, provided the ROPA-specific fields are clearly identifiable and complete.

What Article 30 Requires

Article 30 of the UK GDPR sets out mandatory record-keeping obligations for both data controllers and data processors. The Information Commissioner's Office (ICO) has issued detailed guidance on what these records must contain.

For Data Controllers (Article 30(1))

The records must include:

  • The name and contact details of the controller, and where applicable, the joint controller, the controller's representative, and the Data Protection Officer (DPO)
  • The purposes of the processing
  • A description of the categories of data subjects and the categories of personal data
  • The categories of recipients to whom personal data has been or will be disclosed, including recipients in third countries or international organisations
  • Where applicable, transfers of personal data to a third country or international organisation, including identification of the country and the safeguards in place
  • Where possible, the envisaged time limits for erasure of the different categories of data (retention periods)
  • Where possible, a general description of the technical and organisational security measures in place

For Data Processors (Article 30(2))

Processors must maintain records containing:

  • The name and contact details of the processor(s) and of each controller on whose behalf the processor is acting, and where applicable, the DPO
  • The categories of processing carried out on behalf of each controller
  • Where applicable, details of international transfers and the safeguards in place
  • Where possible, a general description of technical and organisational security measures

Organisations with fewer than 250 employees are exempt from the record-keeping requirement unless the processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or criminal conviction data. In practice, this exemption is extremely narrow, and the ICO recommends that all organisations maintain Article 30 records regardless of size.

Step-by-Step Guide to Building an IAR

Creating an IAR from scratch can seem daunting, but breaking the process into clear stages makes it manageable. The following steps provide a practical framework.

Step 1: Define the Scope

Determine what the IAR will cover. Will it encompass all information assets (personal and non-personal data), or will it focus solely on personal data processing to satisfy Article 30? For most organisations, the broader approach delivers greater value, as it supports information governance, cyber security, and business continuity alongside data protection compliance.

Step 2: Identify Your Information Assets

Conduct a data mapping exercise across all departments and functions. Speak to process owners, review existing documentation, and examine your IT systems, file shares, cloud platforms, email systems, and physical storage locations. For each asset, record:

  • A descriptive name for the asset or processing activity
  • The department or team responsible
  • The physical or digital location where the data is stored
  • Whether the data contains personal data, special category data, or criminal offence data

Step 3: Populate the Required Fields

For each information asset, complete the following fields (at minimum):

  • Asset name/description — a clear, plain-language name for the asset or processing activity
  • Information Asset Owner (IAO) — the individual accountable for the asset
  • Purpose of processing — why the data is collected and used
  • Lawful basis — the Article 6 (and where applicable, Article 9) lawful basis relied upon
  • Categories of data subjects — e.g., employees, customers, patients, suppliers
  • Categories of personal data — e.g., names, addresses, financial details, health data
  • Source of the data — whether collected directly from the data subject or from a third party
  • Recipients/third parties — who the data is shared with, including processors
  • International transfers — whether data is transferred outside the UK, and the safeguard mechanism used
  • Retention period — how long the data is kept and the justification
  • Security measures — the technical and organisational controls protecting the data (e.g., encryption, access controls, pseudonymisation)
  • Storage format and location — digital, paper, or both; specific system or physical location

Step 4: Assign Ownership

Every information asset should have a clearly designated Information Asset Owner (IAO). The IAO is typically a senior individual within the relevant department who is accountable for ensuring the asset is properly managed, protected, and kept up to date. In larger organisations, IAOs may report to a Senior Information Risk Owner (SIRO).

Step 5: Assess and Record Risks

For each asset, consider the risks associated with its processing. This includes risks to confidentiality, integrity, and availability. Where processing is likely to result in a high risk to data subjects, a Data Protection Impact Assessment (DPIA) may be required under Article 35 of the UK GDPR. Record whether a DPIA has been completed and link to the relevant assessment.

Step 6: Review and Approve

Once the IAR is populated, it should be reviewed by the Data Protection Officer (DPO), or the individual responsible for data protection compliance, to ensure completeness and accuracy. Senior management sign-off demonstrates organisational commitment to information governance.

Template Structure for an IAR

A practical IAR is typically maintained as a spreadsheet or within a dedicated information governance tool. A recommended template structure includes the following columns:

  • Reference number
  • Asset/processing activity name
  • Department/function
  • Information Asset Owner
  • Description of processing
  • Lawful basis (Article 6 and Article 9 where applicable)
  • Categories of data subjects
  • Categories of personal data
  • Special category or criminal offence data (yes/no)
  • Data source
  • Recipients and third parties
  • International transfers (yes/no; safeguard mechanism)
  • Retention period
  • Storage format and location
  • Security measures
  • DPIA required/completed (yes/no)
  • Date of last review
  • Next review date

This structure satisfies both the Article 30 ROPA requirements and the broader information governance objectives of a full IAR.

The Role of the Data Protection Officer

Under Articles 37 to 39 of the UK GDPR, certain organisations are required to appoint a DPO — specifically public authorities, organisations that carry out large-scale systematic monitoring, or those that process special category data on a large scale. Even where appointment is not mandatory, the ICO recommends that organisations designate someone to take responsibility for data protection compliance.

The DPO's responsibilities in relation to the IAR include:

  • Advising on the design and structure of the IAR to ensure it meets Article 30 requirements
  • Reviewing the IAR for completeness, accuracy, and consistency
  • Ensuring the IAR is updated when new processing activities are introduced or existing ones change
  • Using the IAR as a basis for identifying processing activities that require a DPIA
  • Making the IAR available to the ICO on request, as required by Article 30(4)

Review Frequency and Maintenance

An IAR is not a one-off document. It must be treated as a living record that is regularly reviewed and updated. The ICO expects organisations to keep their records of processing activities current and accurate. Best practice recommendations include:

  • Formal review at least annually, with a documented review date and sign-off by the IAO and DPO
  • Triggered reviews whenever there is a significant change to processing activities, such as the introduction of a new system, a change of processor, or a data breach
  • Quarterly spot checks on a sample of entries to verify accuracy
  • Integration with change management processes — any new project or system involving personal data should include an IAR update as part of the project governance

Failure to maintain up-to-date records can constitute a breach of Article 30 and may be taken into account by the ICO when assessing an organisation's overall compliance posture, particularly in the context of a data breach investigation or a complaint.

ICO Enforcement and the Consequences of Non-Compliance

The ICO has the power to audit organisations' compliance with the UK GDPR, including their Article 30 record-keeping obligations. Under the Data Protection Act 2018, the ICO can issue assessment notices requiring organisations to provide information about their processing activities, and enforcement notices requiring specific actions to achieve compliance.

While the ICO has generally taken a proportionate approach to enforcement — focusing its resources on serious or systemic breaches — the absence of an adequate IAR or ROPA can compound the consequences of other failures. For example, if an organisation suffers a data breach and cannot demonstrate what personal data was affected, where it was stored, or who had access, the ICO may view this as evidence of a broader failure in accountability and governance.

Fines for breaches of Article 30 can be issued under the lower tier of the UK GDPR's penalty framework — up to £8.7 million or 2% of annual global turnover, whichever is higher. However, the reputational damage and operational disruption caused by poor information governance can be equally significant.

How Policy Pros Can Help

Building and maintaining an IAR requires a clear understanding of both the legal requirements and the practical realities of information management. Our team writes bespoke data protection and confidentiality policies and supporting documentation, including IAR templates, ROPA frameworks, and data mapping guidance tailored to your organisation's size, sector, and processing activities.

Whether you are starting from scratch, preparing for an ICO audit, or updating your records following a change in processing, our policy and procedure writing services provide the expertise you need to get your information governance right. We work with organisations across the public, private, and voluntary sectors throughout the UK.

Please get in touch below to discuss your requirements.

Share:
Get a QuoteView All Services
Trustpilot Reviews - 5 Stars