Name Organisation Questionnaire Welcome to the Audit Form. Please try to provide as much detail as possible to each question where there is a text entry field. We would like to build as accurate a picture of your business to enable us to give the best advice and recommendations. The completion of this form should help us to begin to map the data flow in your organisation. We can then show locations, type and data sharing. At the same time we will ask questions that will help us build a picture of your processes to see how they fit with compliance to the legislation. Note: many of the questions in this form are conditional where a 'yes' answer will open a new dialogue box for further information. Business Details Please fill in your information below. Name of Business * Primary Phone * Primary Email * Trading Sector * Are you Business to Business (B2B)? * NoYes Are you Business to Consumer (B2C)? * NoYes Total Number of Employees * This includes company officers. Are any employees EU citizens or residing in the EU? * NoYes Website Address * Please list your primary website and any others you wish us to initially examine. Note that websites that are sub-companies, client or do not reflect the primary business activities used on the rest of this form cannot, and should not, be analysed. These will need their own form and assessment. Business Address Address Line 1 * Street Address, Company Name etc. Address Line 2 Unit, Building, Floor etc. City * State/Province/Region * Postal Code * Country * Different Registered Business Address * NoYes If your registered business address differs to your currently inputted one, please tell us. Data Controlling & Processing Are you a Data Controller? * NoYes Do you hold personally identifiable information (PII) about people? This would be names, addresses, IP address, email etc. If you hold information and use it to conduct your business then you are a data controller. Are you a Data Processor? * NoYes Do you process information on behalf of someone else? If you process but do not use the information in any other business manner except to process on behalf of then you are a data controller. Databases Do you have a Database? * NoYes Hardware Do you have an office desktop/laptop? * NoYes Office Communication Systems Do you use an office telephone or have a home phone that is used for the company * NoYes This is where you have no exchange, computer based or VOIP system. Or use a single line. Do you have a central phone service with a call dialling facility? * NoYes Do you have (a) company mobile phone(s)? * NoYes Do you have a company email system * NoYes Do you have a company ticket system * NoYes Servers Do you have (an) office server(s)? * NoYes Physical/Paper Do you hold physical/paper records of data? * NoYes Software Do you have a mailing list? * NoYes Do you use a CMS? * NoYes Do you use Cloud services? * NoYes If answered as "Yes", there will be a later form to fill for details. Third Party Connections Do you share any data with a 3rd party processor? * NoYes Data Access Do you allow customers, clients or others to log on to your system? * NoYes Can they access the data you store about them? * NoYes Can they request a change? * NoYes Can they request it is deleted? * NoYes Direct Marketing Direct marketing is likely to be one of the most contentious areas of the GDPR. It has already generated a number of articles and debates and is probably the area where data subjects will come into contact with the legislation in the first instance. When filling out this section pay particular care to list all the types of marketing that you do or are likely to do in the future. This isn't just about mail campaigns. List your social media campaigns, advertising, direct marketing at conferences and events and the types of data you disseminate or request with each type of campaign or activity. Do you do direct marketing? * NoYes Monitoring In this section you will fill in the monitoring systems that you may use. Try to think of both the software systems and hardware systems that you use as this is the basis of a threat analysis. Do you monitor your desktops? * YesNo Do you monitor your servers? * YesNo Do you monitor your phones? * YesNo Do you use threat detection systems? * YesNo Archiving and Backups In this section we will try to list all of the backup and archiving that you do in your organisation. Note that we should show the type, location and data type when giving details (i.e. Financial Records, Paper, locked filing cabinet in office). Do you use automated backups? * YesNo Do you use automated archives? * YesNo Do you use an archival system for paper and/or digital information? * YesNo Do you have a written procedure for archival and backups? * YesNo Do you have a procedure in your staff handbook? * YesNo Is Archive or back-up data shared with any 3rd party? * YesNo General Questions In this section we are going to ask some general questions that will help us to build a picture of what processes and business practices you follow. As with the data questions it is useful to be as comprehensive as possible so that we can build an accurate understanding and give appropriate advice and recommendations. Personal Data Collection * How do you collect personal data? Do you always ask for the data or do you collect it from publically available information. List the sources that you collect from and what you collect. Did you obtain consent * Do you obtain consent? Please let us know how you obtain consent and what text you use. Let us know if there are different levels of consent or if anything is collected without asking for permission. Data Storage Time * How long do you keep the data for? Do you have a process for the removal of data at set times. Tell us the types of data and the conditions for length of storage and cleaning of systems. Think about your archival and backup processes here and include paper as well as electronic and the locations of archive material. Pseudoanonymisation * Do you use anonymisation or pseudoanonymisation (where identifiable data is removed and replaced with a token or identifier to substitute personal details). How is this achieved? To which data? Access to Data * Think about the data sources you have listed above and on the Servers page. Who has access to the different parts of the data? Who can get access to the machines and paper locations? List everyone and all levels of access. Do you store any of the Special Categories * The GDPR lists several special categories of personal data: racial or ethnic origin, political opinion, religious or philosophical belief, trade union membership, genetic data, biometric data that can uniquely identify, health data, sex life or sexual orientation. All medical and social data (counselling services etc.). Criminal or legal records. Cross Border Data * Do you pass any data into or out of the EU? Do you pass data across other borders including to 3rd party processors? List all of these occurances. Data Requests * Do you have a process in place for responding to requests for data access? Have you done any staff training? Privacy Policy * Do you have a privacy policy in place? Do you need to update it to fit in with the GDPR? Internal Procedures * Do you have written staff procedures that are documented? Contracts * YesNo If you are a Data Processor have you updated all your mandatory contracts to be in line with Article 28? Data Processors * YesNo Have all your data processors provided you with mandatory contracts that outline their compliance with the GDPR ICO (UK Companies only) The Information Commissioners Office is the governing governmental body that controls the implementation and code of conduct for the GDPR and data protection legislation in the United Kingdom. In order for us to provide a complete service we will ask about your relationship with the ICO. Are you registered with the ICO * YesNo The ICO requires registration for all Data Controllers in the UK, this is particularly true of anyone who handles sensitive data unless they have an exception. If you hold or process any personal details you must be registered. Do you consent for us to run the ICO self-assessment on your behalf? * YesNo The ICO have a generalised self-assessment form on their website that will give some advice based on a conditional set of questions. With your permission Shadowcat Systems will complete this for you and then deliver the full report and specific advice based on that report targeted to your business. This will compliment the report from our own audit. Your Staff In order for us to properly assess the data locations and flow we will need to collect data from your staff. When you have filled the first form, you should give the employees a designated number to anonymously identify them with, which will be used in the Individual Employee Data form. Note that we will not be collecting their personal details and therefore it is up to you to identify them by their number. This is to allow pseudo-anonymisation as it is data we do not need but you do. Captcha verification * Notes Shadowcat will store the information in a database and with you via email. Three months from the completion of any contract we will delete all data except that which is required for legal processing under UK Law. This will include financial transactions as part of accountancy but should not need to contain any personal information. Shadowcat will only use the data collected here for conducting an audit of your company and its data management. You can access and alter any part of the data we have about you at any time. Shadowcat will accept no legal liability for your compliance to any legislation. This process is intended to aid you into assessing the changes you must consider to become compliant. The legislation requires companies to individually assess themselves and to make the best judgements based on that assessment. We will offer recommendations and advice to guide and inform. These do not compose any indemnity or insurance Shadowcat provide the legal information as taken directly from the GDPR and from the ICO and other Government bodies in the UK. There may be further information available if you are part of an NGO or trade organisation that you may find appropriate. Legal information is not the same as legal advice and no claim is made to make this. Shadowcat may advise that after viewing their report and recommendations you consult with a legal expert based on the audit. Do not rely on this audit which concerns an analysis of your company status as a document of legal advice or a particular legal understanding.
