The GDPR accountability principle:
from paper to practice
Written by: Alexander Hazell
Accountability principle
As a new consultant at Westbrook Data Protection Services, one of the first topics I raise with clients is that GDPR compliance is not just about having the right documents in place, but it’s also about being able to demonstrate that those documents work in real life. That is the essence of the GDPR’s accountability principle.
Organisations often believe they are compliant because they have policies, registers, and privacy notices. But the accountability principle demands more. It requires organisations to prove that their compliance framework is embedded, understood, and functioning on the ground.
Below, I break down what the accountability principle is, what the law requires, and how organisations can operationalise it, using a concrete example, to bring the principle to life.
What is the GDPR accountability principle?
Article 5(2) GDPR states: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
In other words, it’s not enough to comply with the GDPR’s core principles (lawfulness, transparency, minimisation, etc). You must also be able to show your workings.
Accountability is the “connective tissue” of GDPR. It turns compliance from a paper exercise into a living, auditable system.
This is why data protection regulators increasingly ask not just “do you have a policy?” but “show us how you know it works.”
The accountability principle requires organisations to:
1. Implement appropriate technical and organisational measures to ensure GDPR compliance.
2. Document those measures.
3. Demonstrate their effectiveness to regulators if asked.
4. Monitor and review them.
Operationalising Accountability
Organisations often have a dedicated function for handling data subject rights (DSAR) requests, complete with a centralised inbox and a well‑written policy. On paper, everything looks strong.
But there is often a gap that might well get picked up during a data protection audit: employees outside the privacy team are not trained on what to do if a DSAR arrives through an unexpected route – for example: a message on LinkedIn, a call to reception, a query sent to a generic team inbox.
This is a very common issue across organisations of all sizes. Data subjects rarely behave in the neat, controlled way that policies imagine. If your organisation only handles DSARs correctly when they arrive through the “official” channel, you are not compliant, and you cannot demonstrate accountability.
What accountability looks like in practice
To operationalise the principle, an organisation must be able to show:
1. A DSAR policy exists
It must state that requests can be received through any channel.
2. Staff know what a DSAR looks like
Not just the privacy team – everyone who might be contacted.
3. Staff know what to do next
They must be able to deal with or route the request correctly.
4. Training has been delivered and understood
This is how you can demonstrate accountability.
5. Evidence exists
We review UK GDPR clauses, data processing terms, confidentiality, security, international transfer wording and audit provisions.
If a regulator asks, you can show:
1. Training logs
2. Attendance records
3. Quiz results
4. Internal communications
5. Process documentation
This is the difference between “we have a policy” and “we can prove the policy works”
A Concrete Example
In anticipation of a possible audit, organisations may strengthen their accountability posture by: – updating their DSAR policy to cover non‑standard request routes.
- Training receptionists and customer‑facing teams
2. Requiring them to complete a short test to confirm understanding
3. Retaining the results as evidence of compliance
If a data protection regulator were to ask, the company could now demonstrate:
1. The policy exists
2. The policy is implemented
3. Staff understand their responsibilities
4. The organisation can prove it
That is demonstrable accountability in action.
Prevention over cure
The underlying philosophy of accountability is simple: it is better to prevent a breach than to respond to one.
A misrouted DSAR can easily become:
1. A missed deadline
2. An unlawful refusal
3. A complaint to the ICO
4. A regulatory investigation
By embedding accountability into everyday operations, organisations reduce risk, improve trust, and build a defensible compliance posture.
Final thoughts
Actualising the GDPR accountability principle is not about bureaucracy for its own sake; it’s about operational maturity. It’s also about ensuring that compliance is not confined to the privacy team but is woven into the organisation’s culture and daily behaviour.
At Westbrook Data Protection Services, we help organisations move from “policy on paper” to “compliance in practice” – that is what the GDPR requires, and what regulators expect.
GDPR accountability
If you’d like support assessing or strengthening your accountability framework, we’re here to help.
Please send us an email call us on +44 (0)79769 39016 (9.00am – 6pm)
Westbrook Data Protection Services Limited
2nd Floor, Midas House, 62 Goldsworth Road
Woking, Surrey, GU21 6LQ
Explore more data protection & privacy services
Our team have a deep understanding of the following areas of law and continue to add value to our clients’ businesses.
Latest Insights
- The GDPR Accountability Principle: From Paper to Practice
Accountability principle As a new consultant at Westbrook Data Protection Services, one of the first […] - Changes to employment law and the rise in Subject Access Requests
Changes to employment law and the rise in Subject Access Requests Employment Rights Act From […]