Javascript is required

How to make an annual DPO report?

How to make an annual DPO report?
Marine Boquien
Marine Boquien
9 February 2024·10 minutes read time

The role of the DPO/DPO or Data Protection Officer is crucial in the compliance of companies with personal data protection regulations, such as the General Data Protection Regulation (GDPR) in Europe.

To ensure effective management of personal data, it is essential that the DPO carries out an annual review of its activities.

The design of the DPO's annual report

The drafting of the DPO's annual report requires careful attention to accurately reflect past activities and clearly define the DPO's future compliance objectives.

In this article, we present the answers to your questions and the key steps to carry out your GDPR assessment and maintain continuous compliance !

What is the DPO Annual Report ?

The annual report of the DPO (Data Protection Officer) is a document that allows the DPO to report on his or her work and tasks within the organisation that has appointed him or her as such.

The DPO's annual report also presents the actions carried out by the DPO and his teams within the company over a year (risk assessment, management of security incidents and notification to the CNIL, staff training, follow-up and responses to requests for rights of data subjects, internal audits, advice and recommendations for improvement on all projects involving the processing of personal data).

Finally, the DPO's annual report aims to improve the organisation's transparency on data protection and to communicate to the public about its commitment to compliance.

Who should I introduce it to ?

The DPO's annual report can be presented to the managers and heads of the various departments of the organisation, including :

  • Chief Executive Officer (CEO)
  • Deputy Director
  • General Technical Director (CTO)
  • CISO or CISO
  • Business manager
  • HRD
  • CEO

The DPO's annual report may be submitted at the request of the CNIL in the event of an audit by the latter.

For what occasion ?

You can present this report at :

  • Executive committee
  • Executive Committee
  • Steering Committee
  • Executive Committee
  • General Assembly

When should you draw up your annual balance sheet ?

We recommend that you complete your annual review at the end of the current year or at the beginning of the next. You can also choose to do so in conjunction with the end of the organization's financial year, or on the anniversary of your taking up your position or your appointment with the CNIL.

It is advisable, as far as possible, to gradually collect the elements necessary for the preparation of the balance sheet over the course of the year, and to begin the drafting of this document well in advance of the planned date of delivery to the privileged interlocutors within the organization.

How many pages to make ?

Avoid 100-page reports! The number of pages will depend on your organization. The aim is to centralise the essential information and highlights of the past year.

How to produce the DPO's annual report ?

To produce a good detailed report, we advise you to anticipate and collect all the important information that you need and want to incorporate into your report :

  • Statistical elements : the number of personal data processing, the number of DPIAs carried out over the year, the number of rights requests received and processed (and blocking points), etc.
  • Practical documents set up within the organisation: privacy policies, internal repositories, IT charters, GDPR mentions in contracts, appendix or subcontracting agreement, etc.
  • Testimonials: ask your management and operational staff about their business vision of personal data protection and the GDPR.
  • Sort and incorporate the items you want into your report.

The role of the annual report is also to promote you, your position and your profession by communicating with your business departments and your superiors.

We encourage you to choose a presentation axis based on your organization. You can choose to write an annual GDPR report :

  • by timeline
  • by theme
  • by prioritization and risk assessment
  • by business lines

1. Contextualization

The first aspect to consider in the DPO's annual review is contextualization. What is the field of activity in which you operate? Have you appointed a DPO? If so, was it an obligation? Is it a replacement? Is the initiation of data protection activities recent ?

We recommend that you write a page dedicated to the contextualization and presentation of the organization and its activities, taking into account the particularities of the latter.

2. The DPO's interactions

It is also crucial to recall the various exchanges you have had during the year:

  • Internal interactions within your organization, such as those with the organization's operational staff who are responsible for the processing. External interactions, in particular with the CNIL, those outside the organisation or with other DPOs.

  • Don't hesitate to provide details and quantify this information (frequency of communication, tools used, elements of communication, etc.).

  • Explain how you have strengthened the dynamics of your network! Reporting this information will allow you to strengthen your credibility as a DPO.

3. The processing register

It is imperative to include in this report the register of treatments. Do not forget to put a figure on the number of treatments carried out during the year, as well as the number of exchanges or workshops necessary to establish this register. How many processes have been subject to changes and/or deletions, for example? We also encourage you to highlight the prioritization of actions and the levels of criticality for treatments deemed sensitive.

4. The action plan

The action plan section of the report is a demanding step for a DPO, but extremely crucial. To simplify this process, we suggest that you structure the action plan by theme. Associate a timeline of achievements with your action plan, including objectives to be met, the duration and designate people responsible for carrying out this action plan, etc. This will allow you to draw conclusions for the year and set your goals for the following year.

This action plan offers you the opportunity to identify whether or not you are meeting your objectives as a DPO, but more importantly, it allows you to analyze the reasons why you might not have achieved them.


In this part of the report, you can quantify the number of DPIAs you have completed and explain how you prioritized them. How did you find solutions and who did you interact with during the implementation of these DPIAs ? How much time did you spend on it ? How many workshops have you conducted ? It's crucial to quantify all of these elements to demonstrate your commitment and time invested.

To ensure that your report is comprehensive and detailed, you can conduct an in-depth analysis of each DPIA.

With Dastra, carry out your data protection impact assessments !

6. Staff training and awareness

A key aspect of the DPO's annual review is the training and awareness-raising put in place for the teams.

The DPO must ensure that all employees understand the importance of data protection and that they are informed of good practices when handling personal information.

How have your employees been trained? What are the training modalities for newcomers? Do you use an external service provider? What are the impacts and developments as a result of these training and awareness-raising initiatives ?

7. Data subjects

During this annual review, it is crucial to mention the parties involved in processing activities within your organization. How many requests to exercise rights have you received? We encourage you to keep a status of requests, including whether you are receiving more requests for the right of access, the right to delete, etc.

It is also essential to emphasize the informational aspect. How is information communicated to data subjects ? Are individuals adequately informed? We invite you to address these aspects in your review.

8. Security and Data Breaches

The section on security and data breach incidents is also of paramount importance. In this section, we encourage you to highlight all aspects related to data transfers, such as the identification of processing, transfers, as well as the legal tools to secure these transfers.

Similarly, it is essential to include a section dedicated to data security, assessing the security status of the organization.

We invite you to develop a first part dealing with logistics and a second part looking at human security, highlighting the training, anticipation measures put in place and corrective measures adopted by the organization.

Finally, we encourage you to address any testing campaigns you've run, including fake emails, phishing, and more. Don't hesitate to ask your CISO or CIO to get their feedback.

Manage your data breach registry and improve your security with Dastra !

9. Privacy by Design

In this section, we encourage you to share information about privacy by design. The details and elements of this section may vary depending on the specifics of your organization. What methodology did you adopt ? Do you use specific templates ? How do you manage your projects, and how many requests have you received for projects ?

Highlight the elements that contribute to positive feedback on your management and coordination. As a DPO, your ability to step back and guide is crucial. Don't hesitate to highlight your own initiatives, the projects you have initiated, and to share testimonials. This is the perfect opportunity to illustrate your impact and contribution within the organization and its operation.

10. Subcontracting

In this section, we invite you to detail the following :

  • Difficulties encountered with your subcontractors
  • The number of subcontractors
  • The current state of contracting
  • The presence of security issues, if any
  • The process for choosing new subcontractors (specifications, etc.) etc.

11. Contracting

In this section, we suggest that you highlight the type of documentation you have in place. You have the possibility to organize this part by direction or by theme. A classification can be carried out, distinguishing between created, recast and negotiated documents. It is also essential to provide information about the materials you make available and the library you have.

12. Website and App

In this section, you can document all aspects related to GDPR cookies. Have you identified sources of information collection? Are your T&Cs and cookie pages up-to-date and compliant?

Don't hesitate to include the interactions you have had with the web teams to demonstrate the compliance of your website and the management of your cookies.


In conclusion, conducting an annual review as DPO is a fundamental process to ensure and prove ongoing compliance and strengthen data protection within the organization.

By following these key steps, you can identify areas for improvement, implement corrective actions, and help build a culture of data protection within the organization.

An effective annual report not only ensures legal compliance, but also builds stakeholder confidence for optimal and responsible management of personal data.

About the author
Subscribe to our newsletter

We will send you a few emails to keep you informed of our news and what's new in our solution

* You will always be able to unsubscribe on each newsletter. Learn more.