The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

ROPA requirements

Your ROPA contains all the relevant requirements set out in Article 30 of the GDPR.

Ways to meet our expectations:

  • The ROPA includes (as a minimum):
    • your organisation’s name and contact details, whether it is a controller or a processor (and where applicable, the joint controller, their representative and the DPO);
    • the purposes of the processing;
    • a description of the categories of individuals and of personal data;
    • the categories of recipients of personal data;
    • details of transfers to third countries, including a record of the transfer mechanism safeguards in place;
    • retention schedules; and
    • a description of the technical and organisational security measures in place.
  • You have an internal record of all processing activities carried out by any processors on behalf of your organisation.

Can you answer yes to the following questions?

  • Would staff say that you have effective processes in place to keep the record up to date, accurate and make sure that the data is minimised?
  • Could staff explain their responsibilities and how they carry them out in practice?