Home · Synthesis · cl-gdpr-accountability

GDPR accountability principle — Art 5(2) demonstrate compliance

CCPADPDPAGDPRISO 27701MeitY AI

Primary statement

GDPR accountability principle Art 5(2): controller responsible for AND able to demonstrate compliance with Article 5(1) principles. Art 24 appropriate measures + Art 25 data protection by design and by default + Art 30 RoPA. DPDPA records of processing (DPDP.15) + CCPA + ISO 27701 + MeitY. Accountability is the foundational GDPR principle.

Audit-fatigue payoff

A unified accountability programme — RoPA + DPbD&D + appropriate measures + demonstration evidence — satisfies accountability requirements across all 5 contributing frameworks.

Strictness matrix

Scope
Scope: controller responsibility for ALL Article 5(1) principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality). Ceiling source: gdpr:Art.5.2 Rationale: GDPR Art 5.2 scope across all six principles is comprehensive.
Threshold
Threshold: controller must be able to DEMONSTRATE compliance — documented evidence, not just intent. Ceiling source: gdpr:Art.5.2 Rationale: GDPR Art 5.2 demonstrate threshold is binary.
Method
Method: appropriate technical AND organisational measures (Art 24) + data protection by design and by default (Art 25) + records of processing activities (Art 30) + DPIA where required + DPO appointment + breach notification + DPDPA RoPA (DPDP.15) + ISO 27701 PIMS as supporting framework. Ceiling source: gdpr:Art.24 Rationale: GDPR Art 24 + 25 + 30 combined are the most prescriptive accountability method.
Frequency
RoPA refresh: continuous through change management + annual completeness review. Accountability evidence: continuous. Ceiling source: gdpr:Art.30 Rationale: Annual RoPA review is the audit-defensible cadence.
Evidence
Evidence: RoPA + technical and organisational measures + DPbD&D evidence + DPIA where applicable + DPO appointment + accountability evidence per principle. Ceiling source: gdpr:Art.30 Rationale: GDPR Art 30 RoPA is the audit-defensible anchor.

Auditor test pattern

Step 1: Inspect RoPA. Step 2: Verify DPbD&D evidence per system. Step 3: Verify technical and organisational measures. Step 4: For each Art 5(1) principle, verify demonstration evidence.

Common findings

Common findings: (1) RoPA incomplete; (2) DPbD&D aspirational, not embedded in design; (3) Demonstration evidence per principle absent; (4) Accountability documents but not operational.