One of the key areas for all organisations who process personal data is making sure that they have accurate and comprehensive records of processing activities (ROPA) that meet the standards set out in Article 30 of UK GDPR which states that an organisation shall:

“…maintain a record of processing activities under its responsibility.”

There are several specified areas where records must be maintained, such as the purposes of processing personal data, data sharing and retention.

The law is not telling us to do this “just because”, it has real benefits for the organisation, its staff and service users.

In today’s interconnected world, organisations collect and store vast amounts of data, including personally identifiable information, financial records, intellectual property and trade secrets. A breach or compromise of such information can lead to severe consequences, including financial losses, reputational damage, legal implications and loss of customer trust.

An accurate and up to date ROPA demonstrates a proactive approach and enables organisations to identify and mitigate potential risks. By conducting risk assessments, organisations can gain insights into their vulnerabilities and threats, allowing them to implement appropriate controls and countermeasures.

Our Information Governance team can work with your organisation to develop a bespoke package of support to demonstrate full compliance with the ROPA requirements. This could include:

• Development of tools for use by your organisation to establish information asset registers, information risk assessment frameworks and system security assessments and other relevant systems and processes
• Colleague training and engagement
• Full management and support to your organisation’s ROPA
• Aligning processing activities to a lawful basis
• Determining retention periods.

Contact us for more information on mlcsu.ig@nhs.net or 01782 916 875.