The Requirements - Privacy Registration

Find out more about what's required to attain Data Privacy Register registration

Completing the self assessment phase

Learn more about the self assessment phase and what information will be required

The Data Privacy Register framework is centred around your organisation's privacy related processes and policies.

Organisations undertaking registration will be required to complete a rigorous self assessment as a part of the registration process. This self assessment requires organisations to demonstrate compliance with the Data Privacy Register's six compulsory privacy principles.

To assist organisations in assessing whether they are ready to begin the registration process, we have detailed the requirements of each principle alongside the supporting documentation that may be requested during the assessment phase.
Principle
Requirement
Supporting Documentation
Fairness & transparency
You must respect several key rules, including that personal data must be processed in a transparent manner, as this ensures fairness for the individuals whose personal data you’re using.
Signed statement from company officer and relevant policy.
Purpose of data processing
The purpose for processing of personal data must be known and the individuals whose data you’re processing must be informed.
Relevant policy.
Data minimisation
Personal data should only be processed where it isn’t reasonably feasible to carry out the processing in another manner. Where possible, it is preferable to use anonymous data. Where personal data is needed, it should be adequate, relevant, and limited to what is necessary for the intended purpose.
Relevant policy.
Accuracy
You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading.

You may need to keep the personal data updated, although this will depend on what you are using it for. If you discover that personal data is incorrect or misleading, you must take reasonable steps to correct or erase it as soon as possible.

You must carefully consider any challenges to the accuracy of personal data.
Written risk assessment and relevant policy.
Data storage
You must store data for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time.

Your company/organisation should establish time limits to erase or review the data stored.
Relevant policy.
Security
You process personal data securely by means of appropriate technical and organisational measures.

You are required to consider risk analysis, organisational policies and physical and technical measures.
Written risk assessment, demonstration of employee training, evidence of relevant controls and relevant policy.

Beginner Fact Sheets

Tip sheets to assist organisations with understanding the requirements of each Data Privacy Register principle

Next
Registration Fees