Trustees should see a clear view of risk, trends, incidents, and actions—without operational noise.

Why this matters

Boards cannot oversee what they cannot understand. Overly technical reporting obscures risk rather than managing it.

What a board‑level GDPR report should include

1. Current risk posture – High/medium/low risks explained plainly
2. Key incidents and near misses – What happened and impact
3. Regulatory exposure – Investigations, complaints, deadlines
4. Trends over time – Improving or deteriorating risk
5. Actions and ownership – What’s being done and by whom
   
   

What it should avoid

• Long policy extracts
• Legal commentary without context
• Raw logs or spreadsheets
  
  

Evidence of effective oversight

• Consistent reporting format
• Clear decision points
• Follow‑up on agreed actions