ProvePrivacy Logo | Blue Green

Back to home

Processing Activities

Record of Processing Activities

Processing Activities | ProvePrivacy | Article Image 26

< Back

You are here: 

A record of processing activities (ROPA) is required in order to help demonstrate that an organisation processes personal data in accordance with the data protection principles.  It identifies how the organisation processes personal data and the activities which it undertakes.

Your ROPA must contain the following:

  • The name and details of your organisation (and where applicable, of other Controllers, your representative, and Data Protection Officer)
  • The reasons for the processing of personal data
  • A description of the categories of individuals and categories of their personal data
  • Categories of recipients of personal data
  • Details of any transfers to third countries including the safeguards in place
  • How long personal data is retained
  • A description of technical and organisational security measures

ProvePrivacy is designed to provide much of this evidence in order that, in conjunction with other evidence, such as evidence of your technical and organisational measures a complete record can be provided to a supervisory authority on demand.

A ROPA must be maintained if an organisation:

  • employs 250 or more employees
  • processes personal data which might result in a risk to the data subject
  • processes personal data which includes special categories of data
  • processes personal data relating to criminal convictions and offences; or
  • processes personal data in a way which is not occasional

In the event of an investigation the supervisory authority may request these records and having them in place may mitigate any sanctions.

You might also like

Scroll to Top

Contact us

If you would like to ask more questions or to arrange training, complete the form below and we will respond shortly.

See our Privacy Statement for more details.

Get expert tips and business insights