Compliance Report vs. DPIA vs. Executive Summary: Which Report Do You Need?

Your DPO needs technical details. Your board needs a one-page summary. Your regulator needs a DPIA. Your annual report needs trend data. A single GDPR compliance report cannot serve all four audiences, and trying to make it do so is how organizations end up with documents that satisfy nobody.

Vakteye generates four report types, each built for a specific audience. Choosing the right one depends on who will read it and why.

The compliance report: your technical audit

The compliance report is the most detailed output. Every finding from the scan is listed with its evidence, confidence level, applicable GDPR articles, and specific remediation steps. Legal mappings tie each issue to the relevant regulation, whether that is ePrivacy Article 5(3) for cookies, GDPR Article 32 for security measures, or Article 44 for cross-border transfers.

• Audience: Data Protection Officer, legal team, IT security
• Use case: Internal audit, remediation planning, regulatory evidence
• Contents: All findings with evidence, legal article mappings, remediation guidance, forensic evidence references
• Typical length: 15–40 pages depending on the number of findings
• Legal basis: GDPR Article 24 (controller responsibility to demonstrate compliance)

This is the report you hand to the person who needs to fix the problems. It tells them exactly what's wrong, why it matters legally, and what to do about it. Every finding includes a confidence level (CERTAIN, FIRM, TENTATIVE, or UNVERIFIED) so your team can prioritize based on evidentiary strength.

The DPIA: when processing is high-risk

A Data Protection Impact Assessment is not optional when your processing is likely to result in a high risk to individuals. GDPR Article 35 makes this a legal requirement, not a best practice.

Vakteye's DPIA follows the structure required by Article 35(7): a systematic description of the processing, assessment of necessity and proportionality, assessment of risks to data subjects, and the measures to address those risks. Scan results feed directly into the risk assessment. A cookie that persists after consent rejection is not just a finding; it is evidence of a specific risk to the right to withdraw consent.

• Audience: DPO, submitted to IMY if prior consultation required under Article 36
• Use case: New processing activities, major changes to existing processing, high-risk processing
• Contents: Processing description, necessity assessment, risk assessment, mitigating measures, residual risk evaluation
• Typical length: 20–35 pages
• Legal basis: GDPR Article 35 (mandatory for high-risk processing)

If you process health data, run behavioral advertising, conduct large-scale profiling, or deploy systematic monitoring, you likely need a DPIA. If your scan reveals special category data collection or extensive tracking, Vakteye flags the DPIA requirement automatically.

The executive summary: board-level communication

Board members and C-suite executives don't need to know that your Content-Security-Policy header is missing a frame-ancestors directive. They need to know: Are we compliant? What's our risk? What does it cost to fix?

The executive summary distills the full compliance report into core metrics, risk categories, and a compliance status assessment. No technical jargon. No individual cookie listings. Just the information needed to make resource allocation decisions.

• Audience: C-suite, board members, management team
• Use case: Board reporting, management briefing, stakeholder communication
• Contents: Compliance status, risk summary by category, core metrics, trend data if available
• Typical length: 3–5 pages
• Legal basis: GDPR Article 5(2) (accountability, demonstrating compliance to governance bodies)

If your organization has a board reporting cycle, the executive summary slots in directly. It answers the questions every board asks: Where do we stand? What could go wrong? What should we budget for?

The annual assessment: accountability over time

GDPR Article 5(2) requires controllers to demonstrate compliance, not just achieve it once. The annual assessment aggregates data across all scans performed during the year to show compliance trends, remediation progress, and recurring issues.

• Audience: DPO, regulatory evidence, annual board report
• Use case: GDPR Article 5(2) accountability documentation, annual compliance review
• Contents: Year-over-year trend data, remediation tracking, scan-by-scan comparison, recurring issue identification
• Typical length: 10–20 pages
• Legal basis: GDPR Article 5(2) (accountability), Article 24 (appropriate measures to demonstrate compliance)

This is the document you produce when a regulator asks: "How do you ensure ongoing compliance?" It shows that you scan regularly, that you act on findings, and that your compliance posture improves over time.

When do you need each report?

It depends on the audience and timing.

1. After every scan: Generate a compliance report. This is your baseline working document.
2. Before launching new processing: Generate a DPIA if the processing involves profiling, special category data, monitoring, or other high-risk activities per Article 35.
3. Quarterly or before board meetings: Generate an executive summary for management reporting.
4. Annually: Generate an annual assessment for accountability documentation and regulatory readiness.
5. Before a regulatory inspection: Have all four ready. The compliance report shows current state, the DPIA shows risk assessment, the executive summary shows governance engagement, and the annual assessment shows continuous improvement.

Prior consultation: when a DPIA is not enough

If your DPIA shows that residual risk remains high despite mitigating measures, GDPR Article 36 requires prior consultation with your supervisory authority (IMY in Sweden). This means submitting your DPIA to the authority before proceeding with the processing.

Vakteye's DPIA includes an Article 36 assessment that evaluates whether prior consultation is triggered based on the residual risk level after mitigating measures are applied. This gives your DPO a documented basis for that judgment call.