Boards know they are compliant when they can evidence decisions, controls, and oversight, not just policies.

Why this matters

GDPR compliance is not binary. Regulators assess reasonableness and accountability.

Signs of confidence

• Compliance gaps and risks are identified and prioritised
• Decisions are documented with rationale
• Incidents are handled consistently
• Reporting is regular and meaningful
  
  

Red flags for Boards

• Reliance on outdated policies
• No single view of compliance activity
• Scrambling for evidence during incidents
  
  

Practical test

“Can we show what we decided, when, and why?”