A record of processing activities (ROPA) is required in order to help demonstrate that an organisation processes personal data in accordance with the data protection principles. It identifies how the organisation processes personal data and the activities which it undertakes.
Your ROPA must contain the following:
- The name and details of your organisation (and where applicable, of other Controllers, your representative, and Data Protection Officer)
- The reasons for the processing of personal data
- A description of the categories of individuals and categories of their personal data
- Categories of recipients of personal data
- Details of any transfers to third countries including the safeguards in place
- How long personal data is retained
- A description of technical and organisational security measures
ProvePrivacy is designed to provide much of this evidence in order that, in conjunction with other evidence, such as evidence of your technical and organisational measures a complete record can be provided to a supervisory authority on demand.
A ROPA must be maintained if an organisation:
- employs 250 or more employees
- processes personal data which might result in a risk to the data subject
- processes personal data which includes special categories of data
- processes personal data relating to criminal convictions and offences; or
- processes personal data in a way which is not occasional
In the event of an investigation the supervisory authority may request these records and having them in place may mitigate any sanctions.