This form can be used to ensure all relevant issues are addressed. It will automatically be sent to GDP Armour.

Please answer the questions to the best of your knowledge, but don’t worry if you can’t answer accurately or need advice and assistance to do so.


Name and Job Title
Note: if 'yes' we must notify the other organisation immediately.
If 'yes' investigate as per 'Response Plan' in Data Breach Policy. If 'no' consider recording in Data Breach Log as a 'near miss'. If 'not sure' investigate further to determine.


To be completed once investigation completed
e.g. email system, manual file, data on server or computer, etc
Note: those marked '(S)' are sensitive personal data.
i.e. could it be discovered by a member of the public from available resources?
Note: if 'yes' then action must be taken to report to Information Commissioner's Office within 72 hours of when we became aware of the breach. Serious breaches should be reported to the ICO’s security breach helpline on 0303 123 1113 (open Monday to Friday 9am to 5pm). Select option 3 to speak to ICO staff who will be able to assist. Alternatively, notification should be in writing to ‘’ or by post to the ICO at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Note: if 'yes' then action must be taken to report what has happened to the data subject/s themselves and provide any suitable advice they can follow to minimise this risk. See 'Informing Data Subjects' in the Data Breach Policy.



Record Keeping

Privacy Notice
Some of the data we collect as part of this questionnaire will constitute personal data and as such falls under the General Data Protection Regulation. For the purposes of this fact-finding process, the data we collect is controlled by GDP Armour (the Data Controller). We will only process this information for the purpose of completing our audit process and to provide advice to our Clients on the categories of data they hold, the purposes for the data being collected, how data flows through their organisation, which categories of employees or workers have access and how data is stored and kept secure. These purposes are justified under Article 6(1, f) of the GDPR: they are necessary for our legitimate interests, namely that we produce a comprehensive study of data flows in the course of advising our clients. The data we collect as part of this form will be stored and processed only for as long as it takes to produce a report for our client, which we call an Information Asset Register. No part of this report contains personal information. Data is stored with our secure cloud hosts, on secure servers in Europe, and in Europe and the US. We also store data on company IT systems which are encrypted and password protected. If the purpose for processing any part of this data changes we will notify you in writing. Under the GDPR data subjects are entitled to certain rights, including the right to erasure, objection, rectification, restriction and to access the data we hold about you. We will not interfere with these rights unless we have a legal basis for doing so. All subject access requests should be directed to our chief data officer, David Charity, at, and will be completed within one month. You also have the right to lodge a complaint with the Information Commissioner’s Office – please visit for more information.