After several years as a DPO, I’ve learned that one of the most useful things you can do is put together a regular activity report — even though the GDPR doesn’t strictly require it. The French data protection authority (CNIL) agrees, and on April 27 it published fresh guidance strongly recommending the practice.
The report serves two straightforward purposes: it helps you steer compliance inside the organization and gives you a clear way to show senior leadership what you’ve actually accomplished.
Why a DPO Activity Report Matters
A good activity report does more than tick a box. It lets you diagnose where the biggest risks sit — pulling from your processing register, DPIAs, audit findings, breach logs, and complaints. It forces you to quantify residual risks (legal, financial, reputational) and document what you’ve done to close gaps: updated privacy notices, tighter contracts, better technical controls, staff training, or new incident response procedures.
Over time, these reports become a living record of the organization’s maturity on data protection. They also create institutional memory, which is invaluable when a new DPO comes in or when regulators come knocking.
Reporting to Leadership
The GDPR requires DPOs to report directly to the highest level of management. An annual (or even quarterly) activity report makes that obligation concrete. I’ve found that presenting it in person — ideally in a formal meeting — works far better than just emailing a PDF. It opens the door to honest discussion about what’s working, what isn’t, and what resources you actually need: more training budget, dedicated support staff, or stronger executive backing.
Use the report to demonstrate progress — fewer high-risk projects without proper mitigations, faster response times to data subject requests, fewer incidents — and to flag remaining obstacles. Leadership responds better when you can show both the value delivered and the concrete barriers still in the way.
Using the Report for Internal Awareness
Don’t stop at the C-suite. A trimmed-down version works well for employee representatives and broader staff communications. It reinforces your visibility and reminds people that data protection is an ongoing effort, not a one-time project. Highlight wins, acknowledge what still needs work, and point them to practical resources: your contact details, templates, breach reporting procedures, and rights request workflows.
The most effective rollouts I’ve seen have visible support from the top. When the CEO or general counsel visibly endorses the effort, it lands differently.
How to Build the Report Without Burning Out
Treat it as a living document. Don’t try to write it in one frantic push at year-end. Add notes incrementally throughout the year — tagged by category (advice given, controls implemented, training delivered, audits performed). This approach also feeds nicely into interim check-ins with management.
Keep it concise and visual: charts showing trends in breach notifications, tables tracking rights request volumes and response times, or simple maturity heat maps. Most modern compliance tools already generate these numbers; pull them in rather than recreating them.
The CNIL has released a flexible, non-mandatory ODT template to help structure the document. You can adapt it to your organization’s size, sector, and internal reporting style — and even create lighter versions for wider distribution or for situations where you act as a shared DPO across multiple entities.
Practical Advice from the Trenches
Choose timing that fits your rhythm — some DPOs align with the calendar year, others with budget planning or the anniversary of their appointment. Decide upfront what success looks like for the next period: specific treatments that need attention, risk-reduction targets, or training completion rates.
Most importantly, use the report to ask the hard questions: Are our technical and organizational measures still proportionate? Do we have enough resources to do this job properly? Are the highest-risk projects getting enough scrutiny?
The CNIL’s push on this point is welcome. In an environment where DPOs often feel stretched thin, a disciplined reporting habit is one of the best ways to demonstrate value and secure the support needed to do the job right.
