ROPA requirements
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
ROPA requirements
Your ROPA contains all the relevant requirements set out in Article 30 of the UK GDPR.
Ways to meet our expectations:
- The ROPA includes (as a minimum):
- your organisation’s name and contact details, whether it is a controller or a processor (and where applicable, the joint controller, their representative and the DPO);
- the purposes of the processing;
- a description of the categories of individuals and of personal data;
- the categories of recipients of personal data;
- details of transfers to third countries, including a record of the transfer mechanism safeguards in place;
- retention schedules; and
- a description of the technical and organisational security measures in place.
- You have an internal record of all processing activities carried out by any processors on behalf of your organisation.
Can you answer yes to the following questions?
- Would staff say that you have effective processes in place to keep the record up to date, accurate and make sure that the data is minimised?
- Could staff explain their responsibilities and how they carry them out in practice?