Your ROPA contains all the relevant requirements set out in Article 30 of the GDPR.
Ways to meet our expectations:
- The ROPA includes (as a minimum):
- your organisation’s name and contact details, whether it is a controller or a processor (and where applicable, the joint controller, their representative and the DPO);
- the purposes of the processing;
- a description of the categories of individuals and of personal data;
- the categories of recipients of personal data;
- details of transfers to third countries, including a record of the transfer mechanism safeguards in place;
- retention schedules; and
- a description of the technical and organisational security measures in place.
- You have an internal record of all processing activities carried out by any processors on behalf of your organisation.
Can you answer yes to the following questions?
- Would staff say that you have effective processes in place to keep the record up to date, accurate and make sure that the data is minimised?
- Could staff explain their responsibilities and how they carry them out in practice?