# Article 5(2) requires you to demonstrate compliance. Not assert it. GDPR's accountability principle is a contemporaneity test: can you prove a control existed and was operating when you say it did? Meta was fined €17M not because security controls were absent, but because it could not demonstrate they were operating at the time of 12 data breaches. immut anchors your GDPR records to the XRP Ledger at creation, giving you contemporaneous, independently verifiable proof that a regulator can check without trusting you or your systems. ## What did the Meta €17M GDPR fine establish? The Irish DPC fined Meta €17M in March 2022 (GDPR Articles 5(2) and 24(1)). The DPC found Meta had "failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures it implemented in practice." The DPC was not finding that security controls did not exist. It was finding that Meta could not demonstrate they were operating at the time of each of the 12 data breaches in 2018. The fine was for the failure of Article 5(2) accountability, not for the breaches themselves. ## What do GDPR and related frameworks actually require? GDPR Articles 5(2), 24, 30, 35, the ICO Accountability Framework, and NIS2 all apply the same test: can you produce contemporaneous, independently verifiable evidence? - **GDPR Article 5(2), accountability principle.** The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1. The key phrase is "be able to demonstrate", not "be able to assert" or "have implemented". A policy document states intent. A blockchain-anchored record demonstrates that the policy existed and was in force on the date in question. - **GDPR Article 24(1), controller responsibility.** The controller must implement appropriate technical and organisational measures and be able to demonstrate that processing complies. The Irish DPC's enforcement position, shared by the ICO, is that a controller who cannot produce contemporaneous records of TOMs in operation has failed Article 24, regardless of whether those measures in fact existed. - **GDPR Article 35, Data Protection Impact Assessment.** A DPIA must be carried out prior to high-risk processing. The word "prior" is the contemporaneity requirement. A controller must be able to demonstrate the DPIA was completed before the processing it governs, a question the DPIA's own file metadata cannot answer. - **GDPR Article 30, Records of Processing Activities.** RoPA records must be maintained in electronic form and made available to a supervisory authority on request. A RoPA whose entries cannot be dated independently is an accountability liability. - **NIS2 Directive, Article 21.** EU NIS2 (transposed by October 2024) requires essential and important entities to implement appropriate risk-management measures. Its demonstrability requirement mirrors Article 5(2): asserting measures were in place is insufficient. It applies to the 18 sectors covered by NIS2, which overlap directly with ISO 27001 and GDPR obligations. - **ICO Accountability Framework (UK GDPR).** The ICO identifies contemporaneous documentation as a core accountability requirement: records of how and when processing decisions were made, demonstrable at the time of any investigation. The Advanced Computer Software £3.07M fine (2025) applied precisely this test. ## What does the enforcement record show? In every case below, the regulator applied the same test: not whether controls existed, but whether their existence at the relevant time could be demonstrated. - **Meta Platforms, €17M (Irish DPC, GDPR, March 2022).** Fined for failing to have measures enabling it to readily demonstrate the security measures it implemented in practice, at the time of 12 data breaches in 2018. - **Advanced Computer Software, £3.07M (UK ICO, 2025).** Advanced had procured a vulnerability scanning tool but could not demonstrate the tool had been used. Patching records were inaccurate, and the company could not demonstrate controls were operating at the time of the ransomware incident. Claiming compliance is not demonstrating compliance. - **Clearview AI, £7.5M plus enforcement notice (ICO, UK GDPR, 2022).** Clearview could not demonstrate a lawful basis for processing biometric data: no DPIAs for high-risk processing, no record of the lawful basis applied at the time of processing, no contemporaneous records of consent or legitimate interest assessments. - **Easyjet (ICO, UK GDPR, investigation).** Following a breach affecting 9 million customers, the ICO's investigation focused on whether TOMs were demonstrably in place before the breach. The accountability question is now the first question in any ICO breach investigation. ## Why can't my compliance platform answer this? Vanta, Drata, and SharePoint are collection layers. They contractually return the question of evidence integrity to you in their Terms of Service. When a supervisory authority asks "show me this DPIA was completed before the processing began," your compliance platform's answer is: "we received that evidence from the customer." immut provides the answer the platform cannot: - **DPIAs.** Prove the DPIA was completed before the processing it governs began. Article 35 requires prior completion; immut provides prior proof. - **Records of Processing Activities.** Demonstrate that each RoPA entry accurately reflects processing at the time it was recorded, contemporaneous records rather than retrospective compilation. - **TOM documentation.** Show that technical and organisational measures were in place and operating at the time of any data breach or supervisory authority investigation. ## How does immut work for GDPR records? Public proof, private work. Your GDPR documentation stays within your infrastructure. Only a cryptographic fingerprint is recorded on a public blockchain that any supervisory authority can verify. 1. **Hash your GDPR records.** DPIAs, RoPAs, consent records, TOM documentation: any file is hashed on your device. Nothing is transmitted. 2. **Anchored to the XRP Ledger.** The hash is recorded immutably on the public blockchain at the exact moment of submission. 3. **Contemporaneous proof issued.** immut generates a certificate with the hash, XRPL transaction ID, ledger sequence, and UTC timestamp. Regulator-ready. 4. **Independently verifiable.** The DPC, ICO, or any supervisory authority can verify the record without trusting immut or your systems. ## The question to ask yourself If the ICO or DPC asked you to demonstrate that your controls were operating at the time of an incident, not merely that they were documented, could you? ## Where can I learn more? - Live page: https://www.immut.io/evidence/gdpr-accountability - Developer docs: https://www.immut.io/docs - For AI agents: https://www.immut.io/ai-agents