Boards should expect clear, time‑stamped evidence showing how decisions were made and risks managed.

Why this matters

Regulators focus on process and accountability, not just outcomes.      

Typical evidence requested

• Records of processing activities (RoPA)
• DPIAs and risk assessments
• Incident logs and decision records
• Training records
• Board and governance documentation
  
  

The Board’s role during an investigation

• Ensure cooperation
• Review findings
• Oversee remediation
  
  

Evidence of good preparation

• Centralised documentation
• Clear ownership
• Consistent decision logs