You’ve been directed to this form as part of an important fact-finding mission… We’re working with your employer to help them review what kinds of personal data flow through their organisation, who has access and what kinds of risks might be attached. It’s important you fill this form out fully and to the best of your knowledge. This process will form part of our data audit and guide steps to comply with the data protection laws, so please be aware that any attempt to hide information could leave your employer liable for serious legal repercussions, and may be dealt with as a disciplinary matter. If you’d like to learn more about the General Data Protection Regulation feel free to browse the rest our site before continuing or see the Information Commissioner’s Office guidance at www.ico.org.uk.
Before you proceed
Some questions below may seem a little odd, but they’re all part of the process of ensuring that personal data continues to be processed within the law. If you’re concerned that your working methods may be non-compliant: don’t panic, just be honest – this whole process is to work out what is going on within the organisation, to map data flows and change practices where appropriate.
Some of the data we collect as part of this questionnaire will constitute personal data and as such falls under the General Data Protection Regulation. For the purposes of this fact-finding process, the data we collect is controlled by GDP Armour (the Data Controller). We will only process this information for the purpose of completing our audit process and to provide advice to our clients on the categories of data they hold, the purposes for the data being collected, how data flows through their organisation, which categories of employees or workers have access and how data is stored and kept secure. These purposes are justified under Article 6(1, f) of the GDPR, that they are necessary for our legitimate interests, namely that we produce a comprehensive study of data flows in the course of advising our clients. The data we collect as part of this form will be stored and processed only for as long as it takes to produce a report for our client, which we call an Information Asset Register. No part of this report contains any actual personal information. Data is stored with our secure cloud hosts, FastHosts.co.uk on secure servers in Europe, and Dropbox.com in Europe and the US. We also store data on company IT systems which are encrypted and password protected. As part of this process we may pass the data we collect on to your employer, who for the purpose of this exercise will be a Joint Controller. If you wish to make a disclosure to us in confidence please email firstname.lastname@example.org. If the purpose for processing any part of this data changes we will notify you in writing. Under the GDPR you are entitled to certain rights, including the right to erasure, objection, rectification, restriction and to access the data we hold about you. All Subject Access Requests should be directed to our chief data officer, David Charity, at email@example.com, and will be completed within one month. You also have the right to lodge a complaint with the Information Commissioner’s Office – please visit www.ico.gov for more information.