Skip to main content

ROPA requirements

Contents

ROPA requirements

Your ROPA contains all the relevant requirements set out in Article 30 of the UK GDPR.

Ways to meet our expectations:

  • The ROPA includes (as a minimum):
    • your organisation’s name and contact details, whether it is a controller or a processor (and where applicable, the joint controller, their representative and the DPO);
    • the purposes of the processing;
    • a description of the categories of individuals and of personal data;
    • the categories of recipients of personal data;
    • details of transfers to third countries, including a record of the transfer mechanism safeguards in place;
    • retention schedules; and
    • a description of the technical and organisational security measures in place.
  • You have an internal record of all processing activities carried out by any processors on behalf of your organisation.

Can you answer yes to the following questions?

  • Would staff say that you have effective processes in place to keep the record up to date, accurate and make sure that the data is minimised?
  • Could staff explain their responsibilities and how they carry them out in practice?