Showing it does not stop at paper
You have an AI policy, a record of processing, and a yearly training. GDPR accountability asks for more: show that the controls actually work. A policy on a shelf does not prove that. A warning at the moment someone types, plus numbers on what happens, does.
Claude