What is the Privacy Automation Ops Readiness Checklist?
The Privacy Automation Ops Readiness Checklist is a structured self-assessment developed jointly by PrivaLex and Responsum to help organisations identify the gap between having a compliance programme and being able to prove it.
GDPR compliance is not a one-time project. Policies can exist, intentions can be good, and yet the governance decisions, documented workflows and evidence trails that make compliance real and defensible may be incomplete or inconsistently maintained. This checklist surfaces exactly that gap, and tells you what to do about it.
The assessment covers five operational domains: governance and accountability, records and risk assessments, training and awareness, data subject rights, and vendor management. Each domain maps directly to core GDPR obligations under Articles 5(2), 30, 35, 12–22 and 28. Answers are scored on a 0–2 scale, producing two sub-scores, a Governance Score and an Operations Score, whose combination generates a tailored set of recommendations.
What does the checklist evaluate?
The checklist asks 25 questions across five sections, designed to reflect how compliance works in practice, not just on paper.
Section I, Governance and Accountability, examines whether your organisation has formally designated a DPO or responsible person, distributed accountability across departments, documented its governance model and embedded privacy by design into new product and system launches.
Section II, Records and Risk Assessments, evaluates whether your Record of Processing Activities reflects what you actually do, whether every processing activity has a documented legal basis with a written rationale, and whether DPIAs and Legitimate Interests Assessments are conducted, methodologically sound and kept current.
Section III, Training and Awareness, assesses whether data protection training reaches all relevant staff before they handle personal data independently, whether it is role-specific for functions with heightened responsibilities, and whether completion is tracked per individual and documented in a way that could be produced to a regulator on request. For organisations operating in Spain, this section also addresses eligibility for FUNDAE public funding.
Section IV, Data Subject Rights, evaluates your intake process for DSRs across all channels, your ability to log, track and consistently meet the one-month deadline under Article 12, and whether you maintain a complete record of every request, including those refused.
Section V, Vendor Management, examines whether you have a complete processor inventory, signed and current DPAs that meet Article 28 requirements, a pre-engagement assessment process for new vendors, and an active process for monitoring sub-processor changes.
How the scoring works
Each of the 25 questions is scored from 0 (not implemented) to 2 (fully implemented, documented and maintained). Sections I, II and III contribute to a Governance Score out of 30. Sections IV and V contribute to an Operations Score out of 20. Your recommendations are drawn from the combination of both scores, not a single aggregate total, because governance gaps and operational gaps require different responses.
Why PrivaLex and Responsum developed this together
PrivaLex provides the governance and accountability layer: defining legal bases, conducting DPIAs and LIAs, reviewing processor contracts, designing governance models and providing the expert DPO oversight required by Articles 37–39.
Responsum provides the operational and technology layer: turning compliance decisions into live, automated workflows, a maintained RoPA linked to assessments, automated DSR deadline tracking, vendor DPA monitoring, training delivery with individual completion records and real-time compliance dashboards.
Making the right governance decision is not enough if it is never documented. Documenting a decision is not enough if it is not maintained, monitored or evidenced over time. PrivaLex provides the decisions. Responsum makes them run and makes them provable.
Who this checklist is for
This checklist is designed for DPOs, compliance and legal teams, operations leads, and senior management in organisations that have already begun their GDPR compliance journey and want an honest view of where they stand. It is equally relevant for organisations preparing for a regulatory inquiry, an internal audit, or a certification process such as ISO 27701.
FAQs
What is the GDPR Compliance Readiness Assessment?
It is a structured self-assessment developed jointly by PrivaLex and Responsum to help organisations evaluate their GDPR operational maturity across five domains: governance and accountability, records and risk assessments, training and awareness, data subject rights, and vendor management. It produces two scores, Governance and Operations, and a tailored set of recommendations based on their combination.
Who should complete this assessment?
It is designed for DPOs, compliance and legal teams, operations leads and senior management in organisations that have already begun their GDPR compliance journey. It is equally useful for teams preparing for a regulatory inquiry, an internal audit, or a certification process such as ISO 27701.
How long does it take to complete?
The assessment contains 25 questions across five sections. Most organisations complete it in 15 to 20 minutes.
Is this a formal compliance audit?
No. The assessment provides an indicative overview based on your responses and is for informational purposes only. It does not constitute a formal compliance determination. For a comprehensive evaluation of your GDPR programme, contact PrivaLex for a no-obligation readiness review.
What do the scores mean?
Your Governance Score (out of 30) reflects the quality and completeness of your accountability structures, risk assessments and training programme. Your Operations Score (out of 20) reflects how well your day-to-day compliance processes, DSR handling and vendor management, are running and generating evidence. Recommendations are drawn from the combination of both, because governance gaps and operational gaps require different responses.
What is the difference between PrivaLex and Responsum in this context?
PrivaLex provides the governance and accountability layer: defining legal bases, conducting DPIAs and LIAs, reviewing processor contracts and providing expert DPO oversight under Articles 37–39. Responsum provides the operational and technology layer: translating compliance decisions into automated workflows, live records, DSR tracking, vendor monitoring and real-time compliance dashboards. Together they cover both what your programme decides and whether those decisions are documented, maintained and provable.
Can I use this checklist if my organisation is not based in Spain?
Yes. The assessment applies to any organisation subject to the GDPR regardless of location. The only Spain-specific element is question 15, which addresses eligibility for FUNDAE public funding for training programmes. Organisations outside Spain can answer that question as not applicable without affecting the validity of the rest of their results.
Next Steps
This assessment provides an indicative overview based on your responses. It is for informational purposes only and does not constitute a formal compliance determination. For a comprehensive evaluation of your GDPR programme, contact PrivaLex for a no-obligation readiness review.