Organisation Questionnaire

Welcome to the Audit Form. Please try to provide as much detail as possible to each question where there is a text entry field. We would like to build as accurate a picture of your business to enable us to give the best advice and recommendations.

The completion of this form should help us to begin to map the data flow in your organisation. We can then show locations, type and data sharing. At the same time we will ask questions that will help us build a picture of your processes to see how they fit with compliance to the legislation.

Note: many of the questions in this form are conditional where a 'yes' answer will open a new dialogue box for further information.

Business Details

Please fill in your information below.

This includes company officers.
Please list your primary website and any others you wish us to initially examine. Note that websites that are sub-companies, client or do not reflect the primary business activities used on the rest of this form cannot, and should not, be analysed. These will need their own form and assessment.

Business Address

Street Address, Company Name etc.
Unit, Building, Floor etc.
If your registered business address differs to your currently inputted one, please tell us.

Data Controlling & Processing

Do you hold personally identifiable information (PII) about people? This would be names, addresses, IP address, email etc. If you hold information and use it to conduct your business then you are a data controller.
Do you process information on behalf of someone else? If you process but do not use the information in any other business manner except to process on behalf of then you are a data controller.



Office Communication Systems

This is where you have no exchange, computer based or VOIP system. Or use a single line.




If answered as "Yes", there will be a later form to fill for details.

Third Party Connections

Data Access

Direct Marketing

Direct marketing is likely to be one of the most contentious areas of the GDPR. It has already generated a number of articles and debates and is probably the area where data subjects will come into contact with the legislation in the first instance.

When filling out this section pay particular care to list all the types of marketing that you do or are likely to do in the future. This isn't just about mail campaigns. List your social media campaigns, advertising, direct marketing at conferences and events and the types of data you disseminate or request with each type of campaign or activity.


In this section you will fill in the monitoring systems that you may use. Try to think of both the software systems and hardware systems that you use as this is the basis of a threat analysis.

Archiving and Backups

In this section we will try to list all of the backup and archiving that you do in your organisation. Note that we should show the type, location and data type when giving details (i.e. Financial Records, Paper, locked filing cabinet in office).

General Questions

In this section we are going to ask some general questions that will help us to build a picture of what processes and business practices you follow.

As with the data questions it is useful to be as comprehensive as possible so that we can build an accurate understanding and give appropriate advice and recommendations.

How do you collect personal data? Do you always ask for the data or do you collect it from publically available information. List the sources that you collect from and what you collect.
Do you obtain consent? Please let us know how you obtain consent and what text you use. Let us know if there are different levels of consent or if anything is collected without asking for permission.
How long do you keep the data for? Do you have a process for the removal of data at set times. Tell us the types of data and the conditions for length of storage and cleaning of systems. Think about your archival and backup processes here and include paper as well as electronic and the locations of archive material.
Do you use anonymisation or pseudoanonymisation (where identifiable data is removed and replaced with a token or identifier to substitute personal details). How is this achieved? To which data?
Think about the data sources you have listed above and on the Servers page. Who has access to the different parts of the data? Who can get access to the machines and paper locations? List everyone and all levels of access.
The GDPR lists several special categories of personal data: racial or ethnic origin, political opinion, religious or philosophical belief, trade union membership, genetic data, biometric data that can uniquely identify, health data, sex life or sexual orientation. All medical and social data (counselling services etc.). Criminal or legal records.
Do you pass any data into or out of the EU? Do you pass data across other borders including to 3rd party processors? List all of these occurances.
Do you have a process in place for responding to requests for data access? Have you done any staff training?
Do you have a privacy policy in place? Do you need to update it to fit in with the GDPR?
Do you have written staff procedures that are documented?
If you are a Data Processor have you updated all your mandatory contracts to be in line with Article 28?
Have all your data processors provided you with mandatory contracts that outline their compliance with the GDPR

ICO (UK Companies only)

The Information Commissioners Office is the governing governmental body that controls the implementation and code of conduct for the GDPR and data protection legislation in the United Kingdom.

In order for us to provide a complete service we will ask about your relationship with the ICO.

The ICO requires registration for all Data Controllers in the UK, this is particularly true of anyone who handles sensitive data unless they have an exception. If you hold or process any personal details you must be registered.
The ICO have a generalised self-assessment form on their website that will give some advice based on a conditional set of questions. With your permission Shadowcat Systems will complete this for you and then deliver the full report and specific advice based on that report targeted to your business. This will compliment the report from our own audit.

Your Staff

In order for us to properly assess the data locations and flow we will need to collect data from your staff. When you have filled the first form, you should give the employees a designated number to anonymously identify them with, which will be used in the Individual Employee Data form.

Note that we will not be collecting their personal details and therefore it is up to you to identify them by their number. This is to allow pseudo-anonymisation as it is data we do not need but you do.


Shadowcat will store the information in a database and with you via email. Three months from the completion of any contract we will delete all data except that which is required for legal processing under UK Law. This will include financial transactions as part of accountancy but should not need to contain any personal information.

Shadowcat will only use the data collected here for conducting an audit of your company and its data management. You can access and alter any part of the data we have about you at any time.

Shadowcat will accept no legal liability for your compliance to any legislation. This process is intended to aid you into assessing the changes you must consider to become compliant. The legislation requires companies to individually assess themselves and to make the best judgements based on that assessment. We will offer recommendations and advice to guide and inform. These do not compose any indemnity or insurance

Shadowcat provide the legal information as taken directly from the GDPR and from the ICO and other Government bodies in the UK. There may be further information available if you are part of an NGO or trade organisation that you may find appropriate.

Legal information is not the same as legal advice and no claim is made to make this. Shadowcat may advise that after viewing their report and recommendations you consult with a legal expert based on the audit. Do not rely on this audit which concerns an analysis of your company status as a document of legal advice or a particular legal understanding.