Please ensure you read and understand how to complete the form before progressing.
What is RoPA?
RoPA stands for Records of Processing Activities. It is part of the GDPR which states that “a controller must maintain a record of processing activities (RoPA) under its responsibility, including all types of processing activities”, including “all categories of processing activities”.
Furthermore, the records must be kept in writing, including in electronic form. It is to be noted that processing isn’t limited to the collection of personal data, but its definition also covers that data that is kept stored in data assets.
Why do we need to do it?
The basic purpose of RoPA is to serve as an evidence or an audit trail, giving the supervisory authority in your region a clear picture of how you treat the processing of personal data. If a business is found to be non-compliant in any manner, under the GDPR, the supervisory authority has the authority to impose hefty fines.
However, apart from external auditing, RoPA can play a critical role in self-auditing as well. Self-auditing enables businesses to answer the what, why, when, where, and how’s associated with personal data processing, providing a window into overall processing activities, shortcomings, and opportunities for improvement or the opportunities to ensure better data quality.
What mandatory information is required?
- The name and contact details of the controller or their representative or the data protection officer.
- The purpose of processing.
- The categories of data subjects and the special categories of personal data being processed.
- The time period for the retention of different categories of personal data.
- The description of technical and organizational security measures by the organization.
When would I need to update this?
If any of the information changes such as a change in staff meaning someone new is processing this data; or the data moves to a new system or saved somewhere different. You should try to remember to include the RoPA form as part of your own processing so that should you need to create a new data activity, you go to this form once that data is created. We will also send an annual reminder to check your processes are up to date.
If you need to cancel a RoPA
If your processes change (for example a change in systems or where you store data) please complete the ‘Cancel a RoPA Form’ and then use the RoPA form to add a new one if needed.
How to complete our RoPA form
The first section should be completed by the main named controller of the data; there is a further section later where extra names can be added.
Name of business function – for example ‘Annual Gas Service’
Purpose of processing – for example ‘to maintain service schedule’
Retention Schedule – How long will you keep this information?
Process relating to data – for example ‘Data stored in QL system and records extracted to produce a spreadsheet of addresses due which then is saved. Letters created from system and saved.’
Where is the data stored – for example ‘QL, One drive’
What format is the data in? – for example ‘System data, excel and word’
Is this personal data? – yes or no – if names are included then this is personal data. According to GDPR ‘assume that the term “personal data” should be as broadly interpreted as possible’ so if in doubt class this as personal data.
Risks/Impact – For example, if a breach involves the sensitive personal information of vulnerable people, or financial information that may lead to identity fraud, these are both likely to be high risk situations; therefore you can put such statements as ‘sensitive personal information’ or ‘financial information’ etc.
Data Sharing – for example if the information is sent to a contractor.
Safeguarding – If sent externally what safeguarding is in place? For example if emailed is a spreadsheet/letter password safe or does the contractor have their own GDPR in place?
Is there a joint data controller? This is anyone else who processes the data.
If yes then please name those who have access to this data.
Now you can choose to add another rather than have to enter your own details again; or you can submit.
This information will then be sent to a secure mailbox and stored on our server.