1) What is the prime difference between ROPA & PIA?
2) While assessing a vendor, once I am done with Information Risk Assessment Questionnaire, how would I be able to identify if i have to proceed with ROPA or PIA?
3) I have created ROPA and PIa questionnaires and added below sections; do these makes sense or am I missing out on something?
Basic information on processing and responsibility
Purpose and legal basis of data processing
Data transfers and recipients
Standard period for data erasure
Means of processing
Groups with access authorization (simplified authorization concept)
Technical and organizational measures (Art. 32 GDPR)
Business / Project Information
Attributes of the Data (use and accuracy)
Notice to Individuals to Decline/Consent Use
Access to Data (administrative and technological controls)
Retention and Deletion