Why this matters

Compliance is assessed on accountability and process, not intent.

Common evidence requests

• Records of Processing Activities (RoPA)
• DPIAs and risk assessments
• Breach logs and decision records
• Training and awareness records
• Governance and oversight documentation

How evidence should be presented

• Centralised
• Time‑stamped
• Linked to decisions and actions

Evidence of maturity

• Consistency across the organisation
• No last minute document creation