Sceau
How it worksDataScope checkWhy SceauCompliance serviceKnowledge centreResearchAboutContact
ENFRNLDE
Book a demo Log in

Knowledge centre

GDPR accountability: what an office actually needs to prove

From policies to records, vendors, transfers, DPIAs and controls: GDPR compliance as an operating system, not a folder of PDFs.

Executive summary

GDPR is an accountability system, not just a privacy notice.Every office processes personal data in client, staff and compliance workflows.Evidence should connect records, requests, breaches, vendors, transfers, retention and controls.

GDPR accountability means being able to show how personal data is processed, why it is lawful, who receives it, how long it is kept, how risks are controlled and what evidence supports each conclusion.

For professional offices, GDPR is not separate from day-to-day work. Client onboarding, AML checks, staff records, suppliers, document management, portals, emails and inspection packs all involve personal data.

A credible GDPR workspace therefore connects ROPA records, requests, breaches, DPIAs, vendors, transfers, retention schedules, notices and controls into one live evidence system.

Who this applies to

This guide is for professional offices that need to operate GDPR compliance alongside AML, onboarding, client portals, document management and inspection readiness.

  • Notaries, law firms, accountants, tax advisors and estate agents
  • Offices using client portals and screening tools
  • Firms with vendors, processors or international transfers
  • Teams preparing a GDPR evidence pack

Legal and supervisory context

The GDPR requires controllers to be able to demonstrate compliance. That makes records, controls and review history as important as policy wording.

For offices, the hardest part is fragmentation: privacy notices in one folder, vendors in another, breaches in email, DSRs in spreadsheets and retention decisions nowhere.

What the office must actually do

The office should turn the obligation into a repeatable workflow with named owners, deadlines, evidence and reviewable decisions.

  • Create a GDPR overview dashboard.
  • Maintain ROPA, vendors, transfers, notices and controls.
  • Track DSR and breach deadlines.
  • Link DPIAs and retention reviews to processing activities.
  • Keep policy, training and evidence history together.

What good evidence looks like

A reviewer should be able to see the current posture, open deadlines, missing records and evidence behind each material GDPR conclusion.

Common mistakes supervisors find

  • Treating GDPR as a one-time privacy policy project.
  • Not linking vendors and transfers to processing records.
  • Missing DSR or breach deadlines.
  • Keeping retention decisions outside the evidence trail.

Practical checklist

  • Inventory processing.
  • Maintain ROPA.
  • Track requests and breaches.
  • Review vendors and transfers.
  • Keep retention schedules.
  • Record controls and training.
  • Prepare inspection evidence.
How Sceau operationalizes this
  • Provides a full GDPR workspace.
  • Connects ROPA, DSRs, breaches, DPIAs, vendors, transfers and retention.
  • Raises deadline and missing-evidence tasks.
  • Exports inspection-ready GDPR registers.

FAQ

Does every office need GDPR records?

Yes. The depth varies, but every office processes personal data and must be able to demonstrate compliance.

Is a privacy notice enough?

No. It is one artifact. Accountability also needs records, controls, requests, breaches, vendor reviews and retention evidence.

Can Sceau provide legal advice?

Sceau structures and evidences the workflow. Final legal conclusions remain with the organization or its appointed counsel.

Official references

From knowledge to compliance

Reading is a start. Sceau turns these obligations into a workflow that runs itself and proves itself.

Book a demo