Factotum Ltd

GDPR Client / Supplier Questionnaire


General Information


Company NameFactotum Ltd
Questionnaire completed byDavid Hollis (Call Handling Manager)
Date Completed11/5/2018


GDPR Awareness and Readiness


Is your organisation aware of the changes to data protection law under GDPR and how it will impact your business?Yes, Factotum Ltd have already made the relevant changes to our policies and procedures.
Have you undertaken formal gap analysis / an information audit against requirements under GDPR?Yes.
Have you initiated a project to achieve GDPR Compliance?Yes.
Do you expect to be compliant with GDPR by 25 May 2018?Yes.


Staff Involvement and Awareness


Have you appointed / will you appoint a Data Protection Officer?Yes (David Hollis).
Do you have a training program in place to ensure all relevant staff are aware of GDPR requirements prior to May 25 2018?Yes.


Data Governance


Have you created a record of your processing of personal data?Yes.
Please detail the personal data that your service or product collects, stores, processes or has access to.

Factotum Ltd processes and retains details within our Call Handling database, including but not limited to, client name, company name, company contact details (address, email address and phone number/s), contact details (phone number/s and email address) of company personnel, clients bank details (bank, sort code and account number) and DoB.


When taking calls on behalf of our clients Factotum Ltd process and retain the following details, including but not limited to: customer name, telephone number/s, email address, address and any message.


When taking card payments from both clients, and clients customers, Factotum Ltd has access to but does not document or retain any credit card information.


Fair Processing and Privacy Notice


Do you intend to revise your Privacy Notice?This has been done. A separate email will be sent shortly documenting our new Privacy Policy requesting that you read and sign your agreement.
Do you have a privacy notice on your website?The privacy notice will be posted on our website prior to the GDPR “Go Live” date of 25th May 2018 – ukfactotum.com/privacy-policy


Data Subject Rights


Do you have policies and procedures in place to comply with a data subject’s rights including their rights: to be informed; to access; to rectification; to erasure; to data portability; to object to direct marketing.Yes.



Data Transmission and Data Residency


Do you transfer personal data outside of the EU?No.
If so, what steps have you taken to ensure GDPR Compliance?N/A
Do you have a documented process for storing data and retaining it in line with GDPR requirements?Yes. All data is stored on our secure servers and located behind our company firewall. We utilise a secure Call Handling database.
Has your organisation considered the GDPR Data Minimisation principle and reflected this in your relevant data retention policies?Yes. Data held within our Call Handling database is “flushed” monthly with data over 12 months being deleted.
Do you encrypt personal data when you transfer it to 3rd parties?Messages from our Call Handling database are not routinely encrypted. Personal data including Direct Debit and Payroll information is encrypted prior to being transferred.
Please describe how data that is transmitted is protected.Encrypted.


Data Breach


Have you documented your data breach notification procedures to meet GDPR requirements, and have all relevant staff been given adequate training in this?Yes. A copy is available on-line at ukfactotum.com/FactotumGDPR_Breach_Policy
Have you had any data breaches or large-scale data losses in the last 12 months?No.