The organisation is accountable for GDPR compliance, and boards are responsible for ensuring effective governance, oversight, and assurance.

Why this matters

GDPR accountability cannot be delegated away. While tasks are operational, accountability sits at the top.

How accountability typically works

• Board/Trustees: Ultimate accountability and oversight
• Executive leadership: Implementation and resourcing
• DPO: Independent advice, challenge, and regulator interface
• IT / Operations: Day‑to‑day controls and incident response
  
  

What boards are accountable for

• Ensuring appropriate governance structures exist
• Receiving regular, meaningful compliance reporting
• Challenging assumptions and risk decisions
• Ensuring incidents are managed correctly
  
  

What boards are not expected to do

• Run day‑to‑day compliance
• Make technical security decisions
• Replace management or the DPO
  
  

Evidence of good accountability

• Board‑level GDPR risk reports
• Recorded challenge and decisions
• Clear escalation paths