The European Commission has proposed a six-month extension to the UK’s data adequacy decision, now likely to run until 27 December 2025. That might sound dry - even routine - but for privacy leaders in the UK, it’s a nudge: get your house in order. Because when the EU completes its review of the UK’s data protection regime, the outcome could significantly affect how we operate.
And if you're already juggling RoPAs, risk registers, and DSAR workflows, this news is your reminder: your Records of Processing Activities (RoPAs) must be more than box-ticking exercises. They're essential not only for demonstrating compliance but also for showing intent and seriousness in your approach to data governance. 

Why is this happening?

The EU granted the UK adequacy decision back in 2021, following Brexit. It was a practical move: without it, EU-UK data flows would have slowed to a crawl, hurting trade and operations overnight.
But that adequacy came with a condition - it expires unless renewed. So, as the UK pushes through the Data (Use and Access) Bill (DUA Bill), the EU is reviewing whether our laws still meet the standards set by the GDPR’s. Concerns have been raised, especially around government access to personal data and law enforcement powers. This six-month extension buys time for that review. It’s not a sign of confidence. It’s a sign of caution.

What’s at stake?

If the EU decides the UK’s data protection laws have diverged too far from the GDPR, it could revoke adequacy. That would mean companies relying on it to move data freely between the UK and EU would need new safeguards - think standard contractual clauses (SCCs), impact assessments, or binding corporate rules. In short: more work, more risk, more cost.
This is especially relevant for UK companies with EU customers, suppliers, staff, or cloud infrastructure. And even more so for those trying to scale in the EU market. Losing adequacy doesn’t shut the door, but it adds a heavy lock.

So, where do RoPAs come in?

Let’s be honest - RoPAs don’t excite many people. They’re often static, spreadsheet-based records. They’re created under duress, reviewed under audit, and forgotten in between.
But in the eyes of regulators, RoPAs are your proof. They show what personal data you collect, why, where it goes, and who touches it. They’re the bridge between your data map and your accountability.
With the UK in the adequacy spotlight, the quality of your RoPA reflects your intent. If yours is out-of-date, vague, or buried in someone’s desktop folder, it’s time to rethink.

Enter: dynamic RoPAs

This is where Horizon comes in. Horizon’s RoPA functionality was built to move past the compliance paperwork and actually give teams what they need, a living, breathing view of processing activities.
Instead of chasing teams across the business for updates, Horizon enables privacy teams set up a simple workflow where each owner can manage their bit. You assign responsibilities, send nudges, and keep an eye on progress from a central dashboard.

Data discovery is integrated, so you’re not relying on best guesses. If someone is handling data they shouldn’t be, or if there’s processing with no lawful basis logged, you get flagged. You can also see how your processing activities link to other risks or controls - so your RoPA becomes a springboard for managing real privacy risks, not just a registry for audits.
And it’s export-ready. When regulators or clients ask, you’ve got a clean, accurate record ready to go - not a fire drill.

Why it matters now

With the adequacy review underway, now’s the time to show that your organisation hasn’t just kept pace - it’s stepped up. A robust, dynamic RoPA not only protects you if adequacy is lost - it sends a signal that your business takes data protection seriously, regardless of jurisdiction.

And if adequacy is renewed? Great. You’ve still ended up with a tool that helps you stay sharp, reduce manual work, and spot issues before they become liabilities.

What to do next

• Review your current RoPA. Is it complete? Accurate? Linked to real processing, or guesswork?
• Engage your stakeholders. Make sure each business unit knows what’s expected of them.
• Switch to a dynamic platform. If you’re managing your RoPA in spreadsheets or emails, you’re missing visibility. Horizon is one option - and it’s designed for privacy leaders who need simplicity without losing depth.
• Stay alert to the EU’s decision. Whatever the outcome, your RoPA will be your defence - and your differentiator.

What Horizon’s RoPA functionality actually gives you

• Live activity tracking: See who’s updated which records, when, and how - with built-in audit trails and history for every change.
• Processing owner accountability: Assign and remind owners directly in the system. No more manual chasing or silos.
• In-tool guidance: Customisable help text and drop-downs guide non-specialist users through the process, reducing training time and errors.
• Auto-flagging of gaps: Horizon highlights missing fields, inconsistencies, or unsupported purposes, prompting follow-up before an audit uncovers it.
• Risk overlay: Connect each processing activity to its relevant legal bases, risks, and controls - so your RoPA becomes a core risk management tool.
• Export to XLSX or PDF: Generate audit-ready records in seconds - no formatting nightmares or last-minute scrambles.

In short, Horizon turns the RoPA from an annual burden into an everyday advantage - especially in moments like this, when showing maturity isn’t optional.