Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer III

GDPR Article 5(2) - Demonstrate compliance ... but how?

I've been reading the text of the GDPR ... don't laugh, I think it's worth doing 🙂


Article 5.2 states "The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)."




I get that, and I'm not going to argue it ... but let me ask the stupid question ... how do I actually demonstrate GDPR compliance?

3 Replies
Newcomer I

This could go on and on, sorry...... so some bits:


The answer is document, document, document... need to be able to show a culture of ‘privacy by design’ and transparency for the data subjects..


Security structure which should be from the top.

all information assets what they contain personal information wise.

what legal reasons there are for processing this information (reasons for processing)

carry out privacy impact assessments and risk assess

record information flows, who has access, how and why

all the control measures that are in place, physical, organisational and technical

all the training of staff on data protection

all the contracts with third parties

any information transfers especially to third countries and how that is protected.

all consents and what they consented to and show that it was informed

privacy notices for the data subjects

The breach processes

record retention periods for the information assets

how to handle data subject rights.


I will have missed bits off but hopefully you see the idea.  After that I think it depends on the type of company, e.g data controller needed or not etc.  Other bits like no opt outs on web sites, opt in only.


hopefully the above helps, as you may guess I have been doing the above 🙂


Viewer II

Hi there,


GDPR can be a daunting beast. When you come to question like that try and switch places with the Authority.


If you visited another organisation and asked them to prove they were carrying out the activities in Paragraph 1, what evidence would you believe?


As mentioned, documentation is a number one item, but you also then need to show that this is being followed and is embedded in culture, not just IT systems (staff awareness and training) e.g., how do you check that privacy has been considered during design, an not just bolted on afterwards; do you have  gateway check during project delivery?

On the wider picture, there are organisation that can assist with refining standards into defined control sets, but make sure you do not turn GDPR into a tick and flick exercise - that will undoubtedly result in a fail Smiley Wink

Newcomer I

Basically evidence and documentation of what you are doing and what you are not doing and why