GDPR A24-01: Responsibility of the Controller
As a data controller, you're accountable for proving your processing complies with GDPR—not just believing it does. This control requires you to implement, document, and continuously review the technical and organisational measures that protect personal data and demonstrate your compliance to regulators.
What this means
GDPR Article 24 places the burden of proof on you. You must establish a framework of controls—from access restrictions and encryption to audit logs and data retention policies—that prevents unlawful processing. More importantly, you must be able to *demonstrate* these controls exist and function. This means maintaining records, conducting reviews, and updating your measures as risks and regulations evolve. It's not a one-time setup; it's an ongoing accountability cycle.
How to comply
- 1.Document all technical measures (encryption, access controls, pseudonymisation, data minimisation) you've implemented
- 2.Document all organisational measures (policies, procedures, staff training, incident response protocols)
- 3.Establish a schedule for regular review and testing of these measures (at least annually, or when risks change)
- 4.Maintain records proving implementation and review (audit logs, test results, approval documentation)
- 5.Update measures when new risks emerge, regulations change, or audits identify gaps
- 6.Ensure leadership and relevant staff understand their accountability roles
- 7.Conduct periodic risk assessments to identify where measures need strengthening
Evidence auditors look for
- Data Protection Impact Assessment (DPIA) documenting technical and organisational controls
- Information Security Policy and supporting procedures (access control, encryption, incident response)
- Staff training records and data protection awareness programmes
- Audit and review logs showing ongoing assessment of control effectiveness
- Records of control updates and improvements made in response to findings
- Third-party audit reports or security certifications (ISO 27001, SOC 2)
- Incident response logs demonstrating your controls detected and addressed breaches
- Data Processing Agreements with processors showing control requirements
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates the documentation and review cycle for this control—centralise your technical and organisational measures in one platform, schedule regular reviews, track updates, and generate audit-ready evidence in minutes instead of weeks.
See how GRCWatch handles this control automatically
Start free trial