Demonstrating Compliance

Article 24 requires that organisations implement 'appropriate technical and organisational measures' to be able to 'demonstrate' their compliance with the Regulation. Our research has identified 52 Articles (out of the 99 Articles in the GDPR) that need evidence to demonstrate compliance. These Articles should be mapped to corporate policies, management responsibilities, daily operational practices, internal and external business processes, information systems, databases, data, technical and organisational measures, local, remote and outsourced operational environments and infrastructure components.

Compliance is demonstrated by evaluating the status the mapped obligations of the GDPR articles. Existing governance, management and operational environments are examined and the extent that current processing is performed in accordance with the Regulation scored. Improvements are identified, planned, implemented, operated and tracked.

Target of Evaluation

  • Inventory of personal data
  • Records maintained of processing personal data, consent collected and information notices posted
  • Governance, management and operational processes and the “state of the art” practices for processing of personal data lawfully
  • Centralised repository of relevant artefacts or cross references to sources of evidence
  • Privacy incident management, response handling and breach notification processes
  • Data protection officer processes  Governance and accountability frameworks
  • Privacy, security and records management systems
  • Privacy practices, measures and work instructions
  • Vulnerability and impact assessments
  • Baselines of implemented measures
  • Capability assessment results
  • Performance evaluation reports
  • Third party verification
  • Records of non-compliance and case management
  • History of information requests and complaints
  • Interaction with supervisory authorities.

How to create the required audit trail under the GDPR

Identify the specific requirements for governance, management and operational privacy practices in accordance with “the state of the art and cost of implementation” using recognised codes of practice, frameworks of good practice, standards and generally accepted operating procedures.

Define processes, key activities and expected outcomes. Assign roles and responsibilities. Establish event logs, proof listings and audit trails.

Identify individual technical and organisation measures, track the status through regularly testing, assessing and evaluating the effectiveness of the implemented measures for compliance. Score the current status and monitor the remedial action taken to improve on current capability.

Record actions and events that demonstrate adherence to approved codes of conduct or approved certification mechanisms.


Business case for a GDPR Compliance Management System

  1. Record the organisation’s compliance obligations under the GDPR and mandatory privacy enhancing practices to ensure ongoing compliance
  2. Identify roles and assign responsibilities for fulfilling GDPR obligations
  3. Map obligations to specific practices of business units and the operational processes
  4. Record the specific impact of processing personal data on the rights and freedoms of natural persons
  5. Identify potential instances of non-compliance and tag for remedial action
  6. Maintain a comprehensive GDPR compliance programme
  7. Identify and track effective and ineffective technical and organisational measures
  8. Control changes in current arrangements and continuous improvement in privacy enhancing practices across the organisation
  9. Complete audit trail and centralised repository of evidence retained to demonstrate compliance
  10. Dashboards and management reports provide executive management and the governing body with meaningful reports for effective oversight.