Your organisation’s ROPA includes links to other relevant documentation, such as contracts or records as a matter of good practice.
Ways to meet our expectations:
- The ROPA also includes, or links to, documentation covering:
- information required for privacy notices, such as the lawful basis for the processing and the source of the personal data;
- records of consent;
- controller-processor contracts;
- the location of personal data;
- DPIA reports;
- records of personal data breaches;
- information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018 (DPA 2018); and
- retention and erasure policy documents.
Can you answer yes to the following questions?
- Are staff aware of the need to identify a lawful basis for processing personal data?
- Can they identify an appropriate lawful basis?
- Are they aware of the additional requirements to protect special category and criminal offence data?