Welcome!

You have been linked to this page to provide us with an overview of your organisation’s data activities (as part of our due diligence). This will kick-start our assessment of your current Data Protection compliance, and enable us to build the assets that will make your organisation GDPR compliant.

Please answer the questions to the best of your knowledge, but don’t worry if you can’t answer accurately or need advice and assistance to do so; we can deal with any snagging issues later.


How many employees, including contractors or other workers, does the organisation typically engage at any given time.
For example, include any central IT system, CRM, financial accounting package, HR records, hard copy filing systems.
Remember that personal data includes anything which could be used to identify a person, either directly or indirectly, or which could be combined with other data to reveal private information about them.
These types of data are known as 'special categories' of sensitive data and must be subject to extra protections. Unless you can provide a strong justification for recording them you will likely be required to stop processing them.
If you can, please give details of how this data is organised, where it could be found and different forms you use.
This question refers to any 'Controller-Processor' relationships where you provide data to a third party under strict limitations, to provide a specific service. We will need to adjust your agreed terms with any of these providers.
This question relates to any data sharing relationship where you may be the 'Processor' and a third party is the Controller.
Please include the name and location of the third-party, the nature of the service they provide and the kinds of data you transfer to them. Guidance Note: you should include any cloud hosting, social networking, call centre, or IT service provider when answering this question. Transfers abroad are absolutely legal, but may require extra safeguards.
DPIAs are required for any changes to systems or technologies, so you need to inform us of systems you have changed recently, or have plans in motion to change your systems in the new future. Examples of such technologies could include profiling, credit scoring, monitoring location or communications.
Alternatively, please email copies of employment and contractor agreements to info@gdparmour.co.uk
Alternatively, please email copies of employment and contractor agreements to info@gdparmour.co.uk
Does the organisation allow staff to use their own devices for work? If so, do you have any security measures in place to ensure personal data held on these devices remains within your control and can be remotely deleted? Please detail these measures and any other security measures which may be embedded in your systems.
Please provide details of any efforts to periodically: cull your data, delete old marketing leads or inactive customers, delete the data of past employees or any other categories of data that relates to an individual.
If there is any other information about the personal data you process you feel is pertinent but has not been covered, please make any notes you wish here.

Privacy Notice
Some of the data we collect as part of this questionnaire will constitute personal data and as such falls under the General Data Protection Regulation. For the purposes of this fact-finding process, the data we collect is controlled by GDP Armour (the Data Controller). We will only process this information for the purpose of completing our audit process and to provide advice to our Clients on the categories of data they hold, the purposes for the data being collected, how data flows through their organisation, which categories of employees or workers have access and how data is stored and kept secure. These purposes are justified under Article 6(1, f) of the GDPR: they are necessary for our legitimate interests, namely that we produce a comprehensive study of data flows in the course of advising our clients. The data we collect as part of this form will be stored and processed only for as long as it takes to produce a report for our client, which we call an Information Asset Register. No part of this report contains personal information. Data is stored with our secure cloud hosts, FastHosts.co.uk on secure servers in Europe, and Dropbox.com in Europe and the US. We also store data on company IT systems which are encrypted and password protected. If the purpose for processing any part of this data changes we will notify you in writing. Under the GDPR data subjects are entitled to certain rights, including the right to erasure, objection, rectification, restriction and to access the data we hold about you. We will not interfere with these rights unless we have a legal basis for doing so. All subject access requests should be directed to our chief data officer, David Charity, at info@gdparmour.co.uk, and will be completed within one month. You also have the right to lodge a complaint with the Information Commissioner’s Office – please visit www.ico.gov for more information.