Controllers are accountable for, and must be able to demonstrate compliance with the principles as set out in Article 5.

Article 24 further places the onus for accountability on controllers and processors which are required to

"implement appropriate technical and organisational measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation.  These measures shall be reviewed and updated where necessary".

Compliance must be readily demonstrable to individuals and supervisory authorities and failure to do so may lead to a fine of up to €10,000,000 or 2% of annual turnover.

The requirements for controllers include:

   the implementation of appropriate data protection policies 

   adherence to approved codes of conduct

   complying with the concepts of "data protection by design and by default"

   undertaking "data protection impact assessments"


The requirements for controllers and processors include:

   maintaining records of processing activities

   appointment of a data protection officer