GDPR requires you to prove that you protect personal data. Can you?
Following the rules is not enough. The accountability principle in Article 5(2) means you must be able to demonstrate how you comply. During an audit, the supervisory authority does not ask whether you follow the GDPR. They ask you to show it.
Article 5(2) is the core of the GDPR
Article 5(2) of the GDPR states that the controller shall be responsible for, and be able to demonstrate, compliance with the data protection principles.
During an audit, the supervisory authority does not ask "do you follow the GDPR?". They ask "show us how you follow the GDPR". Without documented processes, risk assessments, and incident logs, you lack the answer.
This is where a management system makes the difference. Scattered documents in folders and spreadsheets are not enough when the authority wants to see traceability. You need a structure that links policies to processes, risks to actions, and incidents to follow-up. In AmpliFlow, you build records of processing activities, DPIA logs, and consent tracking with custom lists that link to each other, to deviations, and to audits.
What the GDPR requires and how AmpliFlow supports it
AmpliFlow handles organisational governance. Here are the key GDPR requirements mapped to concrete tools.
Records of processing activities (Article 30)
GDPR requires you to maintain a record of all processing activities: why you process personal data, which categories of data, who has access, and planned retention periods.
Data Protection Impact Assessment / DPIA (Article 35)
Processing that is likely to result in high risk to individuals’ rights requires a Data Protection Impact Assessment. The process must be documented and decided by the controller.
Personal data breach notification (Articles 33–34)
Personal data breaches must be reported to the supervisory authority within 72 hours. Where a breach is likely to result in high risk, the data subjects must also be informed. This requires a workflow that captures, categorises, and escalates.
Data subject rights (Chapter III)
Access, rectification, erasure, data portability. You need processes to handle requests within one month and a log of all cases.
Documented policies and procedures
Data protection policy, access management, retention procedures. GDPR requires these to exist, be accessible, and be kept up to date.
Questions about GDPR and AmpliFlow
What is the GDPR?
EU Regulation 2016/679 governing how personal data may be processed. It applies to all organisations that process personal data about individuals in the EU, regardless of where the organisation is based. In force since 25 May 2018.
Which organisations are covered?
Any organisation that processes personal data about individuals in the EU. This applies regardless of size: companies, public authorities, associations. Certain exceptions exist for purely private processing.
What is the difference between a controller and a processor?
The controller determines why and how personal data is processed. The processor processes data on behalf of the controller. Both have obligations under the GDPR, but the controller bears ultimate responsibility.
What happens when a personal data breach occurs?
Report it to the supervisory authority within 72 hours if the breach is likely to result in a risk to individuals’ rights. Where the risk is high, the affected individuals must also be informed.
What are the penalties?
Up to EUR 20 million or 4% of global annual turnover for serious infringements (fundamental principles, data subject rights). Up to EUR 10 million or 2% for failures in organisational obligations.
How does AmpliFlow support GDPR work?
AmpliFlow handles the organisational governance: custom lists for records of processing activities (Article 30), processor registers, and consent tracking, risk assessment via risk matrices for DPIAs, deviation management for personal data breaches with 72-hour deadlines, pages (wiki) for policies and procedures, and competency matrices to ensure staff understand data protection. The lists link to each other and to other parts of the management system.
Do we need a Data Protection Officer (DPO)?
Under Article 37, a DPO is required for: public authorities (except courts), organisations whose core activities involve regular and systematic monitoring on a large scale, or organisations that process sensitive personal data on a large scale. Even if you are not required to appoint a DPO, it may be wise to do so.
Want to see how it works?
Book a demo and we will show you how AmpliFlow can support your GDPR work. We walk through records of processing, impact assessments, breach management, and policies.