One of the major changes in Data Protection legislation brought about by the General Data Protection Regulation (2016) is that a new legal principle has been introduced requiring us to be able to evidence how we comply with the law:
“The controller shall be responsible for, and be able to demonstrate compliance with [the other principles]” (Article 5)
Under Article 30 of the GDPR, most organisations are required to maintain a Record of Processing Activities (ROPA), covering areas such as processing purposes, data sharing and retention.
Documenting this information is a key way to take stock of what we do with personal data. Knowing what information we have, where it is and what we do with it makes it much easier for us to comply with other aspects of the GDPR such as making sure that the information we hold about people is accurate and secure.
At ARU we have recognised the importance that we map our University’s use of personal data as we manage our GDPR compliance. In 2018 we developed our GDPR Information Risk Assessment Tool (IRAT). It is designed to establish our position in relation to the Data Protection Act, enabling us to analyse what we do and where necessary make appropriate changes.
The audit process gives us a clear understanding of the Data Protection controls we have in place, makes sure that we’re consistent in the way personal data is handled and enables us to demonstrate how we meet the more detailed GDPR compliance requirements. The University has processes in place to maintain this record.