The classic trap
Article 24 is the cornerstone of accountability: the controller must not only be compliant, but also demonstrate it. The CNPD and the CNIL regularly sanction organisations that have data protection policies... filed away in a SharePoint, never reviewed, never updated, with no trace of any revision. The trap is not the absence of measures, it's the inability to prove they are alive, proportionate and reviewed.
The 'appropriate and reviewed' test: the key argument before the CNPD
Article 24 rests on three adjectives that tip the balance during an inspection: appropriate, proportionate, reviewed. Concretely, here is what authorities check during an audit:
- Is there a risk mapping linked to the nature, scope, context and purposes of each processing activity?
- Are data protection policies dated, versioned, approved by management and distributed to operational teams?
- Is there a written trace of the last review (who, when, what conclusions, what corrective actions)?
- Are technical measures (encryption, MFA, logging, retention) aligned with the written policies, or is there a gap between the declared and the actual?
- Does the organisation rely on an approved code of conduct (art. 40) or a certification (art. 42) to materialise its accountability?
- Are management decisions (security budget, DPO appointment, post-incident action plan) documented and enforceable?
The most common trap: a GDPR policy written in 2019 by an external firm, signed once, and never touched again despite the arrival of Copilot, new US data flows, or a change of DPO. Before the CNPD, this is no longer accountability, it's documentary fiction.
How Luxgap automates this risk
Our Luxgap Accountability Pulse turns the declarative obligation of Article 24 into continuous, timestamped and enforceable proof. Instead of asking the DPO to re-document policies every year, the tool plugs an AI agent into your SharePoint, Confluence, Odoo Documents, M365 Compliance Center and Azure Policy to detect in real time the gaps between your written policies and the technical reality of your IS, and automatically generates the accountability log that the CNPD expects.
- Continuously scans your data protection policies (SharePoint, Confluence, Notion) and detects those not reviewed for more than 12 months, with a Teams alert to the DPO and management.
- Confronts the declared (encryption, retention, access policy) with the actual observed in Microsoft Purview, Defender, Azure Policy and AWS Config, and lists gaps line by line.
- Calculates an Article 24(1) proportionality score per processing activity, based on data nature, volume, context and risks identified in the Article 30 register.
- Generates a monthly cryptographically sealed PDF report, timestamped on a notarial blockchain, enforceable before the CNPD as proof of the periodic review required by Article 24(1) in fine.
- Natively integrates EDPB-approved codes of conduct and Article 42 certifications (Europrivacy, GDPR-CARPA) to materialise the Article 24(3) argument.
- Predicts, based on the history of your IS changes, the next probable compliance gap (new Copilot connector, new Salesforce flow to the US) before it becomes an incident.
Available as a complement to a Luxgap DPO mandate or as a dedicated SaaS brick depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real scope, with a free 48-hour blind audit to measure the gap between your written policies and the technical reality of your IS before any engagement.
