The accountability principle (Article 5(2)) requires that controllers be able to demonstrate compliance with GDPR’s data protection principles. ‘Demonstrate’ means evidence — documented information that can be produced on request to show that compliance was real, ongoing, and maintained before any investigation or incident. An organisation that complies in practice but has no evidence of compliance cannot satisfy the accountability principle.
Building and maintaining a GDPR evidence portfolio is not a filing exercise — it is the operational mechanism through which accountability is exercised. The portfolio must be current (evidence that was accurate in 2020 but has not been maintained since is not evidence of current compliance), complete (gaps in the portfolio signal gaps in the programme), and organised (evidence that cannot be located and produced quickly during a DPA investigation provides little protection).
The Minimum Evidence Set by GDPR Obligation
MINIMUM EVIDENCE BY OBLIGATION — SECTION 1: FOUNDATIONS
| GDPR Obligation | Minimum Evidence Required | Maintenance Frequency |
|---|---|---|
| Records of Processing Activities (Art. 30) | RoPA covering all processing activities; fields per Art. 30(1)/(2); DPO or responsible person sign-off | Update on every new system, new purpose, or processing change; full review at least annually |
| Lawful basis for each processing activity (Art. 6) | Basis documented in RoPA; LIA records for legitimate interests processing; contract necessity assessments; decisions memo for each basis selected | Created before processing begins; reviewed on purpose change; LIAs reviewed when processing changes materially |
| Special category processing basis (Art. 9) | Documented Art. 9(2) condition for each special category processing activity; explicit consent records where relied on | Created before special category processing begins; reviewed at least annually |
| Privacy notices published and current (Art. 13/14) | Copy of current notice; version history with dates; record of notice at point of collection for sampled individuals; accessibility verification | Updated before any processing change; version-controlled; accessibility tested at each update |
| Consent records (Art. 7) | Timestamped consent records; notice version presented at consent; withdrawal records; evidence that consent was freely given and specific | Retained for duration of processing plus 3 years for claims defence; audit of consent mechanism at least annually |
| DPO designation (Art. 37) where required | Designation record; DPO terms of reference; DPA notification of DPO; DPO contact published | Updated on DPO change; annual confirmation that DPO has requisite expertise and resources |
MINIMUM EVIDENCE BY OBLIGATION — SECTION 2: OPERATIONS
| GDPR Obligation | Minimum Evidence Required | Maintenance Frequency |
|---|---|---|
| Data Protection Impact Assessments (Art. 35) | Completed DPIAs for all high-risk processing; DPO advice records; DPA consultation records where required; risk mitigation measure implementation evidence | Completed before high-risk processing begins; reviewed at least every 3 years; reviewed on material processing changes |
| Processor management (Art. 28) | Executed DPAs for all processors; processor register; vendor assessment records; sub-processor lists; transfer mechanisms for non-EEA processors | DPA executed before processing begins; register updated on new procurement; annual review; sub-processor changes monitored |
| Cross-border transfer mechanisms (Art. 44-49) | Transfer register; executed SCCs (2021 version) or adequacy evidence; TIA records for non-adequate countries; DPF verification for US entities | Transfer register updated on new non-EEA processor engagement; TIAs reviewed on destination country law changes; SCC version monitored |
| Data subject rights procedures (Art. 15-22) | Rights request log; response records; exemption decision records; procedure documentation; intake channel coverage evidence | Log maintained in real time; annual procedure review; response time analysis quarterly; exemption decisions documented at time of decision |
| Breach register and notifications (Art. 33/34/33(5)) | Breach register for all incidents; DPA notification records with timestamps; individual notification records; post-incident review reports | Breach register entry within 24 hours of awareness; notification records filed immediately; review completed within 30 days of incident closure |
| Technical and organisational measures (Art. 32) | TOM schedule; security policy; penetration test reports; access review records; encryption configuration; training completion records | TOM schedule reviewed annually; pen test at least annually; access reviews at defined cadence; training records maintained ongoing |
Document Retention for GDPR Evidence
The evidence portfolio itself requires a retention policy. GDPR compliance documents should be retained for long enough to defend against any investigation or claim that might arise after the processing has ended. As a general rule, GDPR compliance documentation should be retained for the duration of the relevant processing activity plus the applicable limitation period for regulatory actions and civil claims (typically 6 years in most EU jurisdictions, though DPA investigation powers may extend beyond standard limitation periods).
GDPR EVIDENCE DOCUMENT RETENTION GUIDE
| Document Type | Recommended Retention | Rationale |
|---|---|---|
| RoPA versions | Current version plus 6 years archive of previous versions | DPA may investigate processing that occurred years ago; RoPA at that time must be demonstrable |
| Lawful basis assessments (LIAs) | For duration of processing plus 6 years | DPA may challenge lawful basis years after processing; LIA must predate the processing to have probative value |
| Privacy notice versions | All versions retained indefinitely with effective date metadata | Notice in effect at any point in time may be relevant to a future complaint; version history must be complete |
| Consent records | For duration of processing plus 3 years (for marketing claims defence); longer if processing continues | Consent records are the evidence that processing was lawful; must be available if challenged |
| Executed DPAs | For duration of contract plus 6 years | DPA may investigate processor relationship after contract ends; DPA must be producible |
| Breach register and notifications | At least 6 years; DPA investigation period may extend beyond this | DPA investigations triggered by historical breaches must have the breach record available |
| DPIAs | For duration of processing plus 6 years | DPIA is evidence that high-risk processing was assessed before it began; must be available on request |
| Training completion records | Rolling 3-year window of training records; longer for staff who handled high-risk processing | Evidence that staff were trained at the time of processing; defends against ‘inadequate training’ finding |
Organising Evidence for DPA Investigation Response
The organisation of the evidence portfolio matters as much as its completeness. An organisation that has all required documentation but cannot locate relevant evidence quickly during a DPA investigation faces an unnecessary risk of appearing non-compliant — and may miss DPA response deadlines while searching for documents. The portfolio should be organised so that evidence relating to a specific processing activity, data subject complaint, or breach can be assembled within 24–48 hours.
EVIDENCE PORTFOLIO ORGANISATION — RECOMMENDED STRUCTURE
| Portfolio Section | Contents | Access Control |
|---|---|---|
| Processing activities register | RoPA; linked LIAs; linked DPIAs; processing change log | DPO and privacy team; read access for Legal; controlled access for business stakeholders |
| Lawful basis library | LIA records indexed by processing activity; consent records by product/channel; contract necessity assessments | DPO and privacy team; Legal for LIAs; consent records system export |
| Notice and transparency archive | All privacy notice versions with effective dates; notice accessibility test records; just-in-time notice records | DPO and privacy team; accessible to Legal; notice versions may be requested by DPA |
| Processor and transfer register | Executed DPAs; processor register; sub-processor lists; transfer register; SCCs; TIAs | DPO and Legal; restricted access; DPAs contain commercially sensitive terms |
| Data subject rights log | SAR and rights request log; response records; exemption decisions; exemption reasoning | DPO and privacy team; individual request records accessible to handler; aggregated log for management reporting |
| Breach and incident register | Breach register; DPA notifications; individual notifications; post-incident reviews; remediation records | DPO, Legal, CISO; restricted access; individual breach records may be DPA-sensitive |
| Security evidence file | TOM schedule; penetration test reports; access review records; training completion; security certifications; DPIA records | DPO and CISO; security reports restricted; certifications publicly shareable |
| BITLION INSIGHT | A GRC (Governance, Risk, and Compliance) platform can transform evidence portfolio management from a manual filing task into a structured, auditable, and reportable compliance operation. Leading GRC platforms allow controllers to maintain their RoPA, link DPIAs to processing activities, track LIA and consent records, manage the processor register with DPA expiry alerts, log rights requests and breach incidents, and generate the compliance status reports that boards and enterprise clients require. The investment in GRC tooling pays dividends not just in compliance efficiency but in the quality of the accountability evidence portfolio that results — structured, timestamped, and comprehensive in a way that manual document management rarely achieves. |