Company Name
Factotum Ltd

Questionnaire completed by
Graham Abbey (Managing Director)

Date Completed
11/5/2018

Is your organisation aware of the changes to data protection law under GDPR and how it will impact your business?
Yes, Factotum Ltd have already made the relevant changes to our policies and procedures.

Have you undertaken formal gap analysis / an information audit against requirements under GDPR?
Yes

Have you initiated a project to achieve GDPR Compliance?
Yes

Do you expect to be compliant with GDPR by 25 May 2018?
Yes

Have you appointed / will you appoint a Data Protection Officer?
Yes (Graham Abbey)

Do you have a training program in place to ensure all relevant staff are aware of GDPR requirements prior to May 25 2018?
Yes (ongoing)

Have you created a record of your processing of personal data?
Yes

Please detail the personal data that your service or product collects, stores, processes or has access to.
Factotum Ltd processes and retains details within our Call Handling database, including but not limited to, client name, company name, company contact details (address, email address and phone number/s), contact details (phone number/s and email address) of company personnel, clients bank details (bank, sort code and account number) and DoB.   When taking calls on behalf of our clients Factotum Ltd process and retain the following details, including but not limited to: customer name, telephone number/s, email address, address and any message.   When taking card payments from both clients, and clients customers, Factotum Ltd has access to but does not document or retain any credit card information.

Do you intend to revise your Privacy Notice?
This has been done. A separate email will be sent shortly documenting our new Privacy Policy requesting that you read and sign your agreement.

Do you have a privacy notice on your website?
The privacy notice will be posted on our website prior to the GDPR “Go Live” date of 25^th May 2018 – www.ukfactotum.com/PrivacyPolicy

Do you have policies and procedures in place to comply with a data subject’s rights including their rights: to be informed; to access; to rectification; to erasure; to data portability; to object to direct marketing.
Yes

Do you transfer personal data outside of the EU?
No

If so, what steps have you taken to ensure GDPR Compliance?
N/A

Do you have a documented process for storing data and retaining it in line with GDPR requirements?
Yes. All data is stored on our secure servers and located behind our company firewall. We utilise a secure Call Handling database.

Has your organisation considered the GDPR Data Minimisation principle and reflected this in your relevant data retention policies?
Yes. Data held within our Call Handling database is “flushed” monthly with data over 12 months being deleted.

Do you encrypt personal data when you transfer it to 3^rd parties?
Messages from our Call Handling database are not routinely encrypted. Personal data including Direct Debit and Payroll information is encrypted prior to being transferred.

Please describe how data that is transmitted is protected.
Encrypted

Have you documented your data breach notification procedures to meet GDPR requirements, and have all relevant staff been given adequate training in this?
Yes. A copy is available on-line at www.ukfactotum.com/FactotumGDPR_Breach_Policy

Have you had any data breaches or large-scale data losses in the last 12 months?
No