This article covers:
- The difference between being compliant and being able to prove it
- What “demonstrable” actually means under the GDPR
- Why statements are not evidence
- What demonstrable compliance looks like in day-to-day operations
- The role of logs, approvals and metrics
- How PrivaLex builds the compliance you can stand behind
- How Responsum turns that compliance into proof
- Next steps
Most organisations that have invested in GDPR compliance believe they are compliant. They have a privacy policy, a record of processing activities, processor contracts and, in many cases, a DPO or legal adviser who reviewed everything at implementation. When asked whether they comply with the GDPR, the honest answer is: probably yes, in the sense that the right things were done at a point in time.
But there is a second question that is harder to answer: can you prove it? Not that you intended to comply, or that you once set up the right structures, but that you are compliant right now, that you have been continuously compliant, and that you can demonstrate this with actual evidence to a supervisory authority, an enterprise client, or an investor doing due diligence.
These are different questions. And the gap between saying “we’re compliant” and being able to show it, is where regulatory exposure, lost contracts and reputational risk accumulate. This guide explains what demonstrable privacy means under the GDPR, what it looks like in daily operations, and how PrivaLex and Responsum work together to close that gap.
1. The Difference Between Being Compliant and Being Able to Prove It
The GDPR does not simply require organisations to comply. It requires them to be accountable for their compliance, and accountability, in legal and regulatory terms, means evidence. Article 5(2) states that the controller shall be responsible for, and be able to demonstrate compliance with, the data protection principles. This is not a soft obligation. It is a structural requirement that runs through the entire regulation.
In practice, the difference between being compliant and being able to prove it comes down to three things: whether compliance decisions are documented at the time they are made, whether the evidence of ongoing compliance is stored in a retrievable and structured way, and whether the organisation can produce that evidence on request without a lengthy reconstruction exercise.
An organisation that processed a data subject request correctly but did not log the request, the steps taken or the response given cannot demonstrate that it handled the request correctly. An organisation that delivers annual privacy training but keeps no record of attendance cannot demonstrate that its staff are informed. An organisation whose RoPA was accurate at implementation but has not been updated since cannot demonstrate that it reflects current processing. In each of these cases, the compliance may have happened, but it cannot be shown. Under the GDPR, that is a compliance gap.
2. What “Demonstrable” Actually Means Under the GDPR
Demonstrable compliance is the capacity to show, with contemporaneous evidence, that data protection obligations are being met in practice and on an ongoing basis. The word “contemporaneous” matters: evidence created after the fact, reconstructed from memory or assembled under pressure during an inspection, carries far less weight than records generated at the time the relevant activity took place.
European data protection authorities have been clear about what they expect. The AEPD in Spain, the CNIL in France, the ICO in the United Kingdom and the supervisory authorities across the EU consistently ask, in inspections and enforcement proceedings, not just whether a policy exists but whether it is applied, how compliance is monitored, and what evidence exists of the decisions made. Fines have been issued not because organisations lacked policies, but because they could not demonstrate that those policies were being followed.
Demonstrable compliance has three layers. The first is structural: having the right policies, legal bases, contracts and assessments in place. The second is operational: those structures being actively used, assessments being conducted, requests being handled, vendors being reviewed. The third is evidential: records of all of the above being stored, organised and accessible. Most organisations have the first layer. Fewer have the second. Fewer still have the third in a form that holds up under scrutiny.
3. Why Statements Are Not Evidence
A privacy policy is a statement of how an organisation intends to handle personal data. A record of processing activities is a statement of what processing the organisation carries out. A Data Processing Agreement is a statement of the obligations between controller and processor. These documents are necessary, without them, there is no framework for compliance, but they are not, by themselves, evidence that compliance is happening.
The distinction is the difference between a commitment and a record. A commitment describes what will be done. A record shows what was done, when, by whom, and with what outcome. When a supervisory authority investigates a complaint or conducts a routine inspection, it is records they examine, not the policies that describe what the organisation planned to do.
Consider a company that receives a request for erasure under Article 17. Its privacy policy states that erasure requests are handled within one month. Its internal procedure describes the steps to be taken. If the company has no log of when the request was received, no record of the steps taken to action it, and no documentation of the response sent, it cannot demonstrate that the obligation was met, even if it was. The statement that erasure requests are handled within one month is not evidence that this particular request was handled within one month.
This is why demonstrable compliance is not primarily about having better policies. It is about building the operational infrastructure that generates records, at the time the compliance activities take place, that constitute real evidence.
4. What Demonstrable Compliance Looks Like in Day-to-Day Operations
Demonstrable compliance is not an audit-preparation exercise. It is a way of operating that generates evidence continuously, as a byproduct of well-designed processes. In practice, it has to be visible in five specific areas of daily operations.
Processing decisions are made with documented rationale
Every time a new processing activity is initiated, a new product feature, a new marketing tool, a new data sharing arrangement, the decision about legal basis, purpose limitation and retention should be made explicitly and recorded. Not in a lengthy report, but in a structured record that shows what was decided, on what basis, who made the decision, and when. This is what makes the RoPA a living document rather than a historical one, and what allows an organisation to explain, months or years later, why a particular processing activity was set up the way it was.
PrivaLex works with organisations to define governance triggers, the categories of decision that require a formal privacy review, and to establish the documentation that review should produce. The result is that processing decisions accumulate a traceable rationale over time, rather than being made informally and then forgotten.
Assessments are conducted, approved and linked to processing
A DPIA is not evidence of compliance on its own. It is evidence of compliance when it is completed before the relevant processing begins, when it reflects a genuine analysis of risk and mitigation, when it has been reviewed and approved by the appropriate person including the DPO where required, and when it remains connected to the processing activity it covers so that both can be examined together.
The same applies to Legitimate Interest Assessments and Transfer Impact Assessments. Each of these is a decision-making record: it shows that the organisation considered the legal and risk dimensions of a processing activity and reached a reasoned conclusion. Responsum links assessments directly to the processing activities they cover, records the date of completion, the approver, and any subsequent review or update. The assessment and the processing record are not separate documents, they are connected evidence.
Data subject requests are logged from receipt to closure
Under Articles 15 to 22 of the GDPR, individuals have rights that must be responded to within defined deadlines. Demonstrating compliance with these rights requires a complete log of every request received: the date and channel of receipt, the type of request, the steps taken to verify identity where required, the actions taken to fulfil the request, the date and content of the response, and the legal basis for any limitation or refusal. This log is the evidence. Without it, there is no way to show that rights were respected, only that a policy exists saying they would be.
Responsum manages this process as a structured workflow, with automated deadline tracking and a complete audit trail from receipt to closure. Every request, however it arrives, is logged immediately and assigned to a responsible owner. The timeline of actions is recorded automatically as the request progresses. When the response is sent, it is linked to the request record. The result is a complete, contemporaneous log that can be produced in response to any regulatory or contractual inquiry.
Vendor relationships are monitored, not just documented
Signing a Data Processing Agreement is a point-in-time action. Demonstrating ongoing compliance with Article 28 requires showing that the relationship with the processor has been actively managed: that the DPA was in place before data flows began, that sub-processor changes have been monitored and accepted or rejected, that the vendor’s security measures have been assessed, and that the contract has been reviewed at renewal.
PrivaLex structures vendor contracts and assesses third-party risk as part of the compliance framework. Responsum maintains the vendor register with DPA status, sub-processor records, risk assessments and contract renewal dates. When a vendor notifies a change in sub-processors, that change is recorded and triggers a review. The vendor management record is not a static list, it is a monitored relationship with a documented history.
Training is delivered, recorded and evidenced
Staff training is required under the GDPR’s accountability principle, and authorities ask for evidence of it. A training policy, or a general statement that staff have been trained, is not sufficient. The evidence required is a record showing which training was delivered, to whom, on what date, and with what outcome. In regulated sectors or where processing is high-risk, evidence of role-specific training and periodic refreshers is increasingly expected.
Responsum distributes training modules and records completion to staff, and generates the reports needed to demonstrate compliance. This means that at any point, a DPO or compliance officer can show, with precise records, which members of staff have completed training, when they completed it, and what it covered.
5. The Role of Logs, Approvals and Metrics
If day-to-day operations are the body of demonstrable compliance, logs, approvals and metrics are the skeleton. They are the structures that make evidence retrievable, credible and usable in a regulatory or commercial context.
Logs are contemporaneous records of actions taken. A log of data subject requests received, a log of DPIA approvals, a log of training completions, a log of vendor contract reviews, each of these is a timestamped record showing that a compliance activity happened at a specific point in time. Logs are more credible than reports produced after the fact because they were generated as the activity occurred, not in response to a request to demonstrate that it occurred.
Approvals are the records of decisions made at governance level. When a DPO reviews and approves a DPIA, when a compliance officer signs off on a legal basis assessment, when management acknowledges a risk and accepts the mitigating measures, these decisions need to be recorded with the name of the approver, the date and the basis for the decision. Approvals show that compliance is governed and that decisions are made with appropriate authority, not just executed operationally.
Metrics are the evidence of systemic performance over time. The percentage of data subject requests closed within the legal deadline. The proportion of processing activities in the RoPA with a completed and current DPIA where required. The number of staff who have completed their annual training. The number of vendors with a current, reviewed DPA. These metrics do not just tell you where you stand, they show an authority or a client that compliance is monitored and managed, not assumed.
Responsum’s dashboard surfaces these metrics in real time, giving DPOs and compliance officers the visibility to manage compliance proactively and giving management the reporting they need to exercise their accountability responsibilities. When a supervisory authority asks how you know your compliance programme is working, the answer is a dashboard with real data, not an assurance that things are in order.
6. How PrivaLex Builds the Compliance You Can Stand Behind
Demonstrable compliance starts with getting the framework right. If the legal bases are incorrect, if the DPIAs are incomplete, if the processor contracts do not meet Article 28 requirements, if the governance structure lacks the independence and authority the GDPR requires, then no amount of operational infrastructure will produce genuine evidence of compliance. It will produce evidence of a flawed framework being consistently applied.
PrivaLex builds the compliance framework from first principles. That means a maturity assessment that identifies where the organisation actually stands, not where it believes it stands. It means reviewing legal bases for every processing activity against the GDPR’s requirements and the AEPD’s guidance. It means structuring DPIAs and LIAs as genuine risk analysis, not form-filling. It means reviewing processor contracts against Article 28 and ensuring that international transfer mechanisms are adequate. It means establishing a governance model that assigns accountability clearly and creates the triggers that ensure privacy is considered before decisions are made.
The external DPO function that PrivaLex provides is not a formality. It is an active, independent function that monitors compliance, advises on new processing decisions, reviews the output of assessments, acts as the contact point for the supervisory authority, and contributes to the training and awareness of staff. The DPO’s advice, the decisions made in response to that advice, and the rationale documented at the time, these are themselves evidence. They show that the organisation is governed in relation to privacy, not just administered.
7. How Responsum Turns That Compliance Into Proof
The compliance framework that PrivaLex builds needs to be executed consistently and documented completely. Responsum is the platform where that execution happens and where the documentation is generated, stored and made retrievable.
In Responsum, the Record of Processing Activities is not a spreadsheet updated manually when someone remembers. It is a live document connected to the assets, vendors and assessments it describes, updated as processing changes, with a full change history. Every entry links to the legal basis, the DPIA or LIA where applicable, the relevant DPAs, and the retention schedule. If an authority asks to review a specific processing activity, everything relevant to it is accessible from a single record.
Assessments conducted under PrivaLex’s guidance, DPIAs, LIAs, TIAs, vendor risk assessments, are completed and stored within Responsum, linked to the processing activities they cover and accessible alongside the approval records that show they were reviewed. Review cycles are tracked automatically, and when an assessment is due for renewal, the responsible owner is notified. The assessment does not become stale and forgotten in a folder, it remains a live record with a defined review lifecycle.
Data subject requests are managed entirely within Responsum’s workflow, from the moment of receipt to the moment of closure. The platform tracks deadlines automatically, escalates where action is required, and records every step taken. The complete log of every request, and of the organisation’s response to it, is available at any point. Vendor relationships are managed in the platform’s vendor module, with DPA status, sub-processor records, and risk assessments all connected and monitored. Training completion is logged at an individual level, with completion dates and content records available in audit-ready reports.
The combination means that when a supervisory authority requests evidence, when a client asks for a privacy audit report, or when an investor’s legal team requests documentation as part of due diligence, the evidence exists, it is organised, and it can be produced quickly. Not reconstructed. Not assembled from scattered sources. Produced.
How PrivaLex and Responsum Can Help You Demonstrate Compliance
At PrivaLex Partners we work with organisations that want to move beyond the assurance that they are probably compliant to the confidence that they can prove it. That means starting with an honest assessment of where the compliance framework stands, correcting what is not right, and building the operational infrastructure to keep it evidenced and current.
Through our partnership with Responsum, we connect legal expertise with operational tooling. PrivaLex builds and maintains the compliance framework. Responsum makes it run and generates the evidence. The result is compliance that does not just exist on paper, it exists in logs, approvals, timelines and metrics that hold up under scrutiny.
If you have told clients or investors that you are GDPR compliant and want to be certain you can back that up, or if you are preparing for a due diligence, a certification audit or a regulatory inspection, we can help you close the gap between statement and proof.
Schedule a strategic session with PrivaLex and find out what demonstrable compliance looks like for your organisation.
Frequently Asked Questions (FAQs)
What does “demonstrable compliance” mean under the GDPR?
Demonstrable compliance under the GDPR means being able to show, with contemporaneous evidence, that data protection obligations are being met in practice and on an ongoing basis. It flows from Article 5(2), the accountability principle, which requires controllers not just to comply with data protection principles but to be able to demonstrate compliance. In practice it means having records, logs and documented decisions that can be produced on request, not reconstructed after the fact.
What evidence does a supervisory authority look for in a GDPR inspection?
Supervisory authorities across the EU, including the AEPD in Spain, consistently ask to see the Record of Processing Activities and whether it reflects current processing; the legal basis for each category of processing and the documents supporting it; completed DPIAs and LIAs where required; logs of data subject requests and evidence of timely responses; staff training records; and vendor management records including DPAs and sub-processor information. They examine not just whether policies exist but whether they are applied and whether the evidence of that application is available.
Why is a privacy policy not enough to demonstrate GDPR compliance?
A privacy policy is a statement of intent, it describes how an organisation intends to handle personal data. It is a necessary part of transparency under Articles 13 and 14 of the GDPR but it is not evidence that data is being handled in the way described. Demonstrable compliance requires records of actual processing activities, documented decisions about legal bases, completed assessments, logs of data subject requests and their outcomes, training records, and vendor management documentation. Policies describe what will be done. Records show what was done.
How should data subject requests be documented to demonstrate compliance?
Every data subject request should be logged from the moment of receipt, with a record of the date and channel of receipt, the type of request, the steps taken to verify the requester’s identity where required, the actions taken to fulfil or limit the request, the date of the response, and the content of the response or the legal basis for any refusal. The log should be maintained in a system that generates a timestamped audit trail automatically. Under Article 12, the general response deadline is one month, and any extension must be communicated to the requester within that period and documented.
What is the difference between a DPIA and demonstrable compliance?
A Data Protection Impact Assessment is one component of demonstrable compliance, specifically, the evidence that high-risk processing has been assessed before it began and that appropriate mitigation measures are in place. A completed DPIA demonstrates that the organisation identified the risk, analysed it, and made a documented decision about how to address it. But a DPIA alone does not constitute demonstrable compliance. It needs to be linked to the processing activity it covers, approved by the appropriate person, and reviewed when the processing changes. It is one record in a broader evidence base.
How do metrics help demonstrate GDPR compliance?
Metrics show that compliance is monitored and managed systemically, not just asserted. The percentage of data subject requests resolved within the one-month deadline, the proportion of processing activities with a current and linked DPIA, the number of staff with a recorded training completion, and the number of vendors with an active and reviewed DPA, these indicators show an authority or a client that compliance is governed and tracked. They also enable the compliance team to identify gaps before they become regulatory issues, rather than discovering them during an inspection.
Can you demonstrate GDPR compliance without a dedicated compliance platform?
It is possible but increasingly difficult, particularly for organisations of any significant scale or with complex processing. Without a dedicated platform, evidence tends to accumulate across email threads, shared drives and individual documents, making it difficult to retrieve, incomplete in its coverage, and vulnerable to loss when team members change. A compliance management platform such as Responsum centralises the records, automates the generation of evidence as compliance activities occur, and ensures that documentation is structured, retrievable and audit-ready. For organisations that need to demonstrate compliance to clients, authorities or investors, this is not a convenience, it is a structural requirement.
Next Step
The question is not whether your organisation is GDPR compliant. The question is whether you can prove it, today, with evidence that holds up under scrutiny.
Schedule a strategic session with PrivaLex and find out what demonstrable compliance looks like for your organisation, and what it takes to build it.
