Article 5(2) requires you to demonstrate compliance. Not assert it.
Meta was fined €17M not because security controls were absent, but because it could not demonstrate they were operating at the time of 12 data breaches. The accountability principle under GDPR is a contemporaneity test: can you prove the control existed when you say it did?
The €17M fine was not for the breaches. It was for failing to demonstrate controls were operating.
“Meta has failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures it implemented in practice, in relation to the processing of the personal data of users of its Facebook and Instagram platforms.”
The DPC was not finding that security controls did not exist. It was finding that Meta could not demonstrate they were operating at the time of each breach. This is the Article 5(2) accountability test applied directly. The fine is entirely explicable by the failure to maintain a contemporaneous, independently verifiable record of controls in operation.
What each provision actually requires.
GDPR Articles 5(2), 24, 30, 35, the ICO Accountability Framework, and NIS2 all apply the same test: can you produce contemporaneous, independently verifiable evidence?
The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1. The key phrase is 'be able to demonstrate' — not 'be able to assert' or 'have implemented'. A controller must be able to produce contemporaneous, independently verifiable evidence that data protection principles were being applied at any given point in time. A policy document states intent. A blockchain-anchored record demonstrates that the policy existed and was in force on the date in question.
The controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is carried out in accordance with this Regulation. The burden of demonstration is on the controller. The Irish DPC's enforcement position — and that of the ICO — is that a controller who cannot produce contemporaneous records of TOMs in operation has failed Article 24, regardless of whether those measures in fact existed.
Where a type of processing is likely to result in a high risk, the controller shall carry out a Data Protection Impact Assessment prior to the processing. The word 'prior' is the contemporaneity requirement. A DPIA completed after processing began does not satisfy Article 35. A controller must be able to demonstrate the DPIA was completed before the processing it governs — a question the DPIA's own file metadata cannot answer.
Each controller shall maintain a record of processing activities under its responsibility. RoPA records must be maintained in writing, in electronic form, and made available to a supervisory authority on request. The accuracy of those records at the time of any request — and their demonstrable accuracy at the time the processing occurred — is what the accountability principle tests. A RoPA whose entries cannot be dated independently is an accountability liability.
EU NIS2 (transposed by October 2024) requires essential and important entities to implement appropriate technical, operational and organisational measures to manage risks. The demonstrability requirement of NIS2 mirrors Article 5(2): it is insufficient to assert that measures were in place. The entity must be able to demonstrate it — a requirement that applies to the 18 sectors covered by NIS2, which overlap directly with ISO 27001 and GDPR compliance obligations.
The ICO's Accountability Framework identifies contemporaneous documentation as a core accountability requirement. Specifically, the ICO expects organisations to maintain records of how and when processing decisions were made, and to be able to demonstrate compliance at the time of any investigation. The Advanced Computer Software £3.07M fine (2025) applied precisely this test: the ICO found the company could not demonstrate that security controls were operating at the time of the incident.
The accountability test in action.
In every case below, the regulator applied the same test: not whether controls existed, but whether their existence at the relevant time could be demonstrated.
The Irish DPC fined Meta €17M not because security controls were absent, but because Meta could not demonstrate they were operating at the time of 12 data breaches in 2018. The DPC found Meta had 'failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures it implemented in practice.' The fine was for the failure of Article 5(2) accountability — not for the breaches themselves.
Advanced had procured a vulnerability scanning tool. It could not demonstrate the tool had been used. The existence of the tool was not the issue. The ICO found that patching records were inaccurate and that the company could not demonstrate controls were operating at the time of the ransomware incident. The ICO's enforcement position directly mirrors Article 5(2): claiming compliance is not demonstrating compliance.
The ICO found Clearview could not demonstrate a lawful basis for processing biometric data. The accountability failure was systemic: no DPIAs for high-risk processing; no record of the lawful basis applied to UK data subjects at the time of processing; no contemporaneous records of consent or legitimate interest assessments. Article 35 and Article 5(2) both applied.
Following a breach affecting 9 million customers, the ICO's investigation focused on whether Easyjet had documented its security measures and whether TOMs were demonstrably in place before the breach. The accountability question — can you prove what controls existed and when — is now the first question in any ICO breach investigation, not a secondary consideration.
Your compliance platform holds your GDPR records. It cannot prove when they were created.
Vanta, Drata, and SharePoint are collection layers. They contractually return the question of evidence integrity to you in their Terms of Service. When a supervisory authority asks “show me this DPIA was completed before the processing began,” your compliance platform's answer is: “we received that evidence from the customer.” immut provides the answer the platform cannot.
Prove the DPIA was completed before the processing it governs began. Article 35 requires prior completion. immut provides prior proof.
Demonstrate that each RoPA entry accurately reflects processing at the time it was recorded. Contemporaneous records, not retrospective compilation.
Show that technical and organisational measures were in place and operating at the time of any data breach or supervisory authority investigation.
Public proof. Private work.
Your GDPR documentation stays within your infrastructure. Only a cryptographic fingerprint is recorded on a public blockchain that any supervisory authority can verify.
DPIAs, RoPAs, consent records, TOM documentation — any file is hashed on your device. Nothing is transmitted.
The hash is recorded immutably on the public blockchain at the exact moment of submission.
immut generates a certificate with the hash, XRPL transaction ID, ledger sequence, and UTC timestamp. Regulator-ready.
The DPC, ICO, or any supervisory authority can verify the record without trusting immut or your systems.
If the ICO or DPC asked you to demonstrate that your controls were operating at the time of an incident, not merely that they were documented, could you?
Prove your first file in minutes.
Takes seconds. Works on any file type. No installation required.