Art.5.2 GDPR

GDPR Art.5.2: Accountability

What This Control Requires

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability').

In Plain Language

"Show your work" - that is accountability in two words. It is not enough to be compliant; you must be able to prove it. When a supervisory authority knocks on your door, they want to see documentation, not hear assurances.

In practice, accountability means maintaining a governance framework with documented policies, records of processing activities, data protection impact assessments, a DPO (where required), privacy by design practices, and regular audits. Verbal commitments and ad-hoc measures count for nothing. If it is not written down, it did not happen - at least as far as regulators are concerned.

This principle ties everything else together. Without it, compliance with lawfulness, purpose limitation, minimisation, accuracy, storage limitation, and security becomes unverifiable. It demands a cultural shift: data protection is not a one-off project you complete and forget, but an ongoing part of how your organisation operates.

How to Implement

Set up a clear governance structure. Appoint a DPO where Article 37 requires it, or designate a senior person responsible for data protection oversight. Define data protection responsibilities at every level - board, management, and individual data handlers. Everyone should know their role.

Build and maintain your Records of Processing Activities (RoPA) as required by Article 30. Document the purposes, data categories, recipients, international transfers, retention periods, and security measures for each processing activity. Review and update these records whenever processing changes - a stale RoPA is nearly as bad as no RoPA.

Put a Data Protection Impact Assessment (DPIA) process in place per Article 35. Define clear criteria for when a DPIA is triggered, create practical templates, and keep records of every assessment along with the decisions that followed. Embed this into your project and change management workflows so it happens automatically, not as an afterthought.

Write a comprehensive set of data protection policies covering data subject requests, breach notification, international transfers, retention, and data sharing. Get senior management sign-off, communicate them to all staff, and review at least annually. Policies that nobody reads or follows are a liability, not an asset.

Monitor and audit continuously. Run regular internal audits of your processing activities against your documented policies. Track compliance metrics, report to senior management, and when you find gaps, create corrective action plans with clear ownership and deadlines. The goal is a living compliance programme, not a folder of documents gathering dust.

Evidence Your Auditor Will Request

Data protection governance framework documentation with defined roles and responsibilities
Complete and up-to-date Records of Processing Activities (Article 30)
Data Protection Impact Assessments for high-risk processing activities
Suite of data protection policies and procedures with version control and approval records
Internal audit reports and compliance monitoring records

Common Mistakes

Policies exist but are not implemented, monitored, or enforced in practice
Records of processing activities are incomplete, outdated, or not maintained
No regular compliance monitoring or internal audit programme for data protection
Data protection governance is siloed within IT or legal rather than embedded across the organisation
Unable to provide evidence of compliance when requested by a supervisory authority

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.1	Related
ISO 27001	A.5.2	Related
NIS2	Art.20	Partial overlap

Frequently Asked Questions

What documentation is needed to demonstrate accountability?

At minimum: Records of Processing Activities (Article 30), documented policies and procedures, DPIAs for high-risk processing, records of data subject requests and how you handled them, breach notification logs, staff training records, processor agreements, and evidence of regular compliance reviews. Together, these should paint a clear, auditable picture of your data protection programme.

Is appointing a DPO sufficient to demonstrate accountability?

Not even close. A DPO is one piece of the puzzle, not the whole picture. You still need comprehensive policies, maintained processing records, DPIAs where required, privacy by design practices, and ongoing monitoring and audits. The DPO oversees and advises - they should not be a one-person compliance department carrying everything on their shoulders.

How often should we review our compliance measures?

The GDPR does not specify a frequency, but annually is the practical minimum for a comprehensive review. High-risk processing activities warrant more frequent checks. Beyond scheduled reviews, trigger a review whenever you significantly change your processing, receive new DPA guidance, or deal with a data protection incident. Treat compliance as a living process, not a calendar event.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment